How a Small Business Becomes a Liability

Misplaced trust?

A plastics supplier sells parts to a major appliance manufacturer. The small business, focused on production, meeting deadlines and tight budgets, hasn’t prioritized cybersecurity. The small business relies on outdated equipment and software, has weak or default passwords on machinery and networked devices, and lacks properly configured firewalls. Employees are allowed to use personal devices on the company network. There is no formal security training program. These qualify the small business as a springboard for a cybercriminal operation seeking access to the larger, more moneyed appliance manufacturer.

The attacker, aiming to steal from the appliance manufacturer, goes after the small plastics company. They exploit a known vulnerability in an outdated piece of software used to control manufacturing equipment, gaining access to the small company’s internal network.

Once inside the small supplier’s network, the attacker waits and watches via spyware, looking for a chance to compromise an email account and send a malicious attachment directly to an appliance company employee. Looking like design specifications, the file instead contains malware that grants the attacker access to the larger manufacturer’s internal network.

This approach allows the attacker to target a major company while bypassing many of its sophisticated cyber-defenses. The attacker achieves their goal by exploiting the trust between two companies’ employees.

And the impact is significant. The appliance company suffers production delays, financial losses due to lost revenue and recovery costs and potential reputational damage. The plastics company faces possible financial ruin due to lost contracts, potential lawsuits from the manufacturer and the costs associated with recovering from the attack. Their reputation in their industry takes a hit, making future business more difficult.

Why smaller businesses are especially susceptible

The above scenario shows how a seemingly insignificant small company can become a gateway for a devastating cyberattack on a much larger organization. It shows the vulnerabilities of:

• Legacy Systems Many small manufacturers rely on older equipment and software that may be vulnerable to known exploits. Updating these systems can be costly and disruptive.
• Operational Technology Focusing on operational efficiency can overshadow cybersecurity thinking, leaving networks vulnerable to attacks. Connecting Operational Tech devices to IT networks without proper security measures creates significant risks.
• Limited Cybersecurity Resources Smaller manufacturers often lack dedicated IT staff and cybersecurity expertise, making it difficult to implement and maintain strong security practices.
• Supply Chain Complexity: The interconnected nature of the manufacturing supply chain means potential entry points for attackers.

3 steps to help you avoid being the source of someone else’s breach

1. Employee Training Equip your team to know the signs of an attack. Training should emphasize the importance of verifying requests and questioning anything unusual. Simulate realistic scenarios so people get accustomed to suspicious signs and used to the idea of questioning.
2. Multifactor Authentication Use Multifactor Authentication (MFA) – like a numeric code sent to a different device – to cut off attackers that would be successful with just a compromised password.
3. Patch and Update Regularly Make sure all software, operating systems and networked equipment are updated with the latest security patches to address known vulnerabilities.

Do you need security support?

By taking proactive steps, small businesses can cut their chances of becoming a stepping stone for cybercriminals targeting larger organizations.

Bryley is here to advise you – since 1987 Bryley has helped organizations understand how to best make a security plan and deal with cyber-threats. To speak to Roy Pacitto about defending your small- to medium-sized business, please complete the form (below) or schedule a 15-minute, no-obligation call. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.