The “l’m Too Small to be a Target” Fallacy

When retailer Target was hacked in 2013, the damage was so extensive that direct costs exceeded $250 million. To its credit, Target’s external-facing cybersecurity wasn’t too bad; the attack came through a mom-and-pop HVAC vendor with unnecessary access to the retailer’s network.

Smaller enterprises like the HVAC company are often under the illusion that they have no reason to be targeted by a cyberattack. Not only is this blatantly false, as the Target example illustrates, but for firms serving narrow vertical markets, the potential harm from such incidents is magnified.

For instance, consider a law practice that deals almost exclusively in mergers and acquisitions. Why would the firm need anything beyond rudimentary security measures? After all, its network doesn’t store much financial data, and it only maintains personal information on its several dozen attorneys and staff.

How could it possibly be a target? Cybersecurity isn’t necessary unless you’re a nation-wide retailer or a bank, right? Wrong. Hackers make their bones on that very misconception.

As it turns out, if you have something worth selling, you have something worth stealing. In the case of our law firm, the practice is at a heightened risk of a breach because investment-savvy cybercriminals are always on the prowl for the undisclosed details of a merger or acquisition. One leaked email can confirm a deal is pending: a windfall for our hacker-turned insider trader.

So while the data might not be as plentiful or yield the immediate returns that information stolen from a bank might, it’s still valuable. And not only is it valuable, but the “I’m too small to be a target” fallacy makes it easier to steal than from a bank that spends millions on cybersecurity.

This confluence of financial motive and easy access should be alarming not only for small firms but also their customers in the narrow vertical markets that they serve. A medical device manufacturer that focuses on engineering drug infusion pumps for hospitals takes care to secure machinery schematics and other intellectual property stored on its servers, but its interest in cybersecurity stops there.

Once the devices get to hundreds of hospitals nation-wide, the devices’ anachronistic software and security features jeopardize the lives of thousands of patients that interface with their own drug delivery machines.

The effects of breaches on companies serving small verticals are disproportionately severe. In the Target hack, the retailer’s sporting goods customers were just as much affected as its electronics or clothing customers. Fortunately for all of us, there are hundreds of retailers that can sell us those products. But when it comes to medical device manufacturers that can produce and sell internet-enabled drug infusion pumps at scale, the number shrinks considerably smaller.

Therefore, a serious breach at such a company can send shockwaves through the narrow vertical market that it serves, putting a strain on the crucial but often-overlooked gears that drive the modern economy forward.

Fortunately, firms serving niche markets can take concrete, actionable steps to protect themselves and their customers:


Target has billions of dollars in annual revenue, and it can afford its own robust IT and security departments. Most of the companies we’re talking about don’t come close to that, so incentivizing adequate cybersecurity – through tax benefits or even regulation and non-compliance fines – can help smaller enterprises afford, at the very least, a cybersecurity partner that has the expertise and scale necessary to improve security and resiliency.


While the idea of sharing information with competitors is an unnatural one, intra-industry intelligence sharing on cyber threats unique to a particular type of vertical has proven effective at forestalling attacks while fostering trust. Medical device manufacturers and hospitals, for instance, should share threat information and best practices so that the producers can build necessary security features into their next generation of products that are responsive to the actual attacks that the hospitals are seeing daily.


A firm serving a small market will typically be small itself. A clerk at a Fortune 500 company probably can’t forward a phishing email to his CEO, but at a small device manufacturer, it’s more likely than not. That means it’s incumbent on every employee to be diligent and exercise good cyber hygiene. And get educated/stay up to date.


A final step in mitigating the cyber risk to firms serving crucial narrow vertical markets is to simply pass off the risk to an insurer. Insurance companies are increasingly getting into the cyber insurance market, and for good reason. Without some indemnification, a serious breach at a small firm could lead to insolvency and send ripples through the narrow market it serves. A little bit of coverage protects not only the company but also the larger economy.


via: tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *