How to address the epic question of who would want to hack us, we are such a small company?

I was presented with a question from the C-levels of the business side from an organization that I would like to share with anyone who wants to listen.  This question illustrates the mentality businesses have when dealing with security which should be addressed from your security manager or director.  I can make a statement that all businesses share a commonality with each other when it comes to information security regardless of the vertical you are in.  Some of you may disagree but take the time to read what I have to say and I bet you will agree with me, and if not, that is okay too, it’s an opinion and everyone has one. 


Whatever industry you are in whether it’s the finance, manufacturing, healthcare, etc. industries you may have different regulatory requirements like SOX, HIPPA, or PCI, but you as a business still have a commonality with each industry.  You may already know what this is, if not, I will address this in a bit.   Let’s address the question I am talking about.


We are a manufacturing company that makes xyz widgets, so why do we need to be so concerned about information security?  Who wants our information? The hackers do not care about Xyz Company.  This is where this statement is dead wrong and I will explain why and how you should answer those questions. 


First, I will ask and answer this question, What does xyz company have in common with say a bank, hospital, tech company, whatever?  We all have employees which are the weakest link, but not only that, we have employees that have social security numbers and bank routing numbers.  All companies harvest this information.  What department?  You got it, Human Resources.  Most companies large or small are doing what we call today as direct pay.  You also had to provide your social security number to the HR department before you started work for tax and benefit purposes.  We also have extranet setups between the company and the bank, mostly EDI transactions.  So just because you are Joe Schmoe company you still have valuable and sensitive information.  I will describe how a social security number is maybe more valuable than a bank routing number or just plain old banking information.  If you have seen the October 25th 2009, Medicare Fraud from 60 minutes[i] you probably already know what I am speaking about.  If not I suggest you watch this episode but I will describe a little bit of what I remember.  Sixty minutes interviewed a man who was ripping off the Medicare program by turning up fake health care practices and then charging back to Medicare.  He was once a drug dealer now making more money at ripping off the system.  The Medicare fraud is bigger than the drug business in total volume according to the article.  Here is a quote to see the quantitative figure associated to this crime.  "They've figured out that rather than stealing $100,000 or $200,000, they can steal $100 million.” Only Four items he needed to pull off this scam. 

  1. Name

  2. Social Security Number

  3. Date of birth – make sure you take that date of birth off your facebook page, just another area to source information.

  4. Address.

I bet every HR department has that kind of information.  I know mine does and I know all the ones I worked for in the past do as well.  People sell lists of names $10 per and he would buy 1,000 or 10,000 at a time.  As the banks and health care verticals spend more on security and it becomes harder for attackers to go unseen and gain access, smaller, less obvious companies may be targeted.  Heck, if I was a bad guy and doing something like this I would purposely target the small companies.  I bet I could get in and out without a trace, keeping my scam from being detected.  So the next time you are presented with a question from the business like the one that was presented to me, make sure they know that by just having an internet presence, produces risk.  By not addresses this does an injustice to the company, its employees, and undermines the security department and what they are trying to accomplish.  However, I know it’s the businesses objectives that are put on the front burner and security is usually a reactive approach when it should be proactive.