Many consumers and IT admins at small and medium businesses have a false sense of security stemming from low self-esteem. The prevailing logic assumes that attackers have bigger or more lucrative fish to fry and won’t bother investing the time to attack them. Nothing could be farther from the truth.
The reality is most attackers aren’t all that tech savvy themselves and most attacks are conducted using automated tools. Every compromised PC has value to an attacker and every exploited account is a worthwhile target. It’s up to you to make sure you protect yourself.
I wrote this blog post about ensuring you aren’t an easy target for attackers:
Attackers are typically lazy and many attacks are automated. If you’re an easy target, you will inevitably get breached.
You’ve probably heard somebody say something to the effect that they don’t worry too much about security because they don’t have any data of value or interest. Maybe you’ve even said that your business. Unfortunately, that isn’t how attacker logic works.
The mistake in this (lack of) logic is the belief that attacks follow a specific agenda. The thought process is actually pretty straightforward. Attackers perform some sort of preliminary reconnaissance to assess their targets. So clearly, once they see how boring and ordinary your data is, they won’t bother with the effort. It may be true that an attacker would find little or no value in your data, and that the financial gains won’t be as great. In most cases that isn’t the goal, though.
Consider a burglar who decides to target the home of a very wealthy person and develops a plan to bypass the security measures in place. Contrast that with a burglar who just walks down the street trying every door to find one that’s unlocked.
There are sophisticated attacks that target specific organizations or individuals, but the vast majority of them are attacks of convenience.
Most cyber criminals are not all that tech savvy themselves. There’s an entire black market where would-be crooks can buy pre-packaged exploits and attack tools. Launching an attack is as simple as launching Microsoft Word…as long as the target systems have the appropriate vulnerabilities open and fit the criteria expected by the exploit. Most attacks are automated and simply scour the Internet in search of targets that fit the description.
Check out the full post on the RSA Conference blog: Don’t Make the Mistake of Being the Low-Hanging Fruit.