Attackers pick targets based on the payout, not which companies are easy to hack

Attackers always keep their eyes on the prize. An operation’s goals drive every facet of a hacking campaign, including its goals. The weaknesses or strength of a company’s security measures don’t factor into how attackers pick their target. Instead, attackers picks targets that best fit the operation’s goals.

Vulnerabilities don't matter to attackers

If they’re going for credit-card data, they’ll hack companies that provide them with this data. They won’t look for targets that are vulnerable. Of course, a company that doesn’t regularly patch buggy software or hasn’t taught users about the dangers of phishing emails just makes an adversary’s job much easier. Ultimately, an organization’s vulnerabilities don’t matter to hackers. All adversaries realize that they’ll eventually infiltrate their target and that they just need one attack to be successful to complete a mission. There are simply too many possible ways to carry out an attack and not enough information security professionals to block every access point.

Hackers looking for medical records don’t necessarily care what security tools a hospital is using. They just want the electronic health records. They’ll develop an attack plan that allows them to execute their attack plan.

The company you keep can make your organization a target

And that attack plan may include breaching a company that doesn’t have the data the hackers are after. However, that company may provide them with access to their target. The Target hack is a great example of this: the attackers went after the company that serviced the HVAC systems in the retailer’s stores. In other words, sometimes it’s the company you keep that’s important to hackers.

Consider what your company could provide attackers, whether that’s something obvious like financial details or something that’s not as conspicuous, like a connection to a business with coveted intellectual property.

Look at the big picture

While your businesses may not store credit-card information or government secrets, your company could have access to this information. Do you process health insurance claims that contain personally identifiable information or mortgage applications that contain a person’s financial details, including bank account numbers? Think about the ecosystem around your business.

Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.