SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 12 - 23 minutes)

Attacks to SMOs


SaRB for SMOs Action Info

Security Management Group

get me out 1605906 640

When it comes to cyber security attacks, what do we know about them, where do they originate, how do they succeed, what is the goal of certain type of attacks? These are just some of the questions that hit the public imagination when it comes to attacks to Small Organisations. However, there are many myths and misconceptions around them.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.



In terms of cyber attacks to Small Organisations, understanding some of the attacks enables an Organisation to prepare itself better by utilising threat modelling approaches in risk management, and cyber threat intelligence. Knowing how attackers attack you helps focus the weaknesses they exploit better.

As usual, we won’t be going into technical details in any depth, and it isn’t important to understand everything about every type of attack, all in one go. We are going to introduce several words, phrases and terms that you may have heard of before but weren’t sure of, as well as several you may never have heard of.

Default sample awareness and knowledge infographic

Myths and Misconceptions about Attacks

One of the biggest factors that make it easier for attackers to succeed in their attacks is that the Small Organisations as prospective victims have misconceptions about both attacks and attackers. Having previously looked into attackers, today we’re going to look into the different types of attacks used by attackers to succeed in the goals they have. The aim of what we are covering isn’t to make everyone paranoid that they don’t use any technology, but rather to open their eyes to the sort of things that help and make it easier to be attacked. In the same way that people never consider crossing the road without their eyes open and look in both directions before deciding to cross the street, we want to help organisations to pick up tips about what they do to help attacks succeed - so they can stop doing them.

Here are some of the myths and misconceptions about attacks:

  • We are a new organisation, nobody knows anything about us, so we won’t get attacked – attacks are not often based on knowing everything before the process of the attack starts. There are many ways into an organisation, but at the highest level it will be through what an individual does or doesn’t do, or a technology which has a vulnerability or not been configured for security. On the human individual side, it could be that an employee, board member, partner or supplier was compromised before your organisation was set up and when they were given access to your organisation’s technology (email, cloud storage, network, etc.) the attacker may be able to learn more about the new association, which they may then try to leverage. On the technology side, assuming that every individual has at least one electronic device with an email account, browser and apps on it, whether it was compromised before the owner associated with the organisation or not will be irrelevant, as the attack was on the technology not the organisation; even though the end target may end up including the organisation. So, it’s not about the organisation when the attack started, but the compromise of an individual or a technology (device, service, etc.) it can lead to an attack on the associated organisation whether the organisation is new or old.
  • New and Small Organisations won’t get attacked because they don’t have any money – The misconception here is that the goal of a single attack is a bank account with money in it. In most cases, an attack is a journey, where one point leads to one or more other points to compromise, until in the end the attacker has an understanding of what is the most profitable assets the journey has provided access to. In some cases, it may be that a compromised email account leads to other email accounts, service accounts, bank accounts other cases, it may just be that an email account provides a contact list, which can then be sold to spammers or phishers. So, attackers are often not only after big bank accounts with lots of money in them, they are after any thing that can lead them to saleable assets; where those assets can be contact lists, passwords, compromised accounts, payment card details, service management accounts, and so on. The goal is what assets can be sold to generate a revenue rather than immediate cash. And the fact is that all those people who work for, or are on the board of, or partners of, or suppliers of, of customers of Small Organisations have digital assets which can be compromised and sold, which are valuable enough for resale, despite the organisation itself having little or no cash in the bank.
  • As a new organisation we have nothing that attackers can take – continuing from the previous point, often attackers don’t care about the organisation having cash to steal. As an organisation, it has people connected to it as a board, employees, interns, volunteers, partners, suppliers and customers, all who have and use digital devices and services which can be compromised.
  • We are a small team with new devices, we have very little that can be attacked, so we’ll be safe from attacks – although it is true that new Small Organisations may only have a few devices which may be new and presumably with only a few or ideally no vulnerabilities; there is no guarantee of that. Further, this misconception ignores the fact that every individual will communicate using existing devices, apps, browsers, routers, etc. etc. which are capable of being compromised in the future, if they are not already compromised. The attack surface, (which we will go into in a future episode) is based on people connections and technology connections. Although having new devices may be a good thing, since they should not have any new vulnerabilities in them, there is no guarantee that this is always the case, if the buyer is not aware of how to purchase, install and configure for security. In very basic terms, the attack surface of a Small Organisation grows with every new human connection, and further with all their devices, and further with all the many apps and services on each device and how much time they spend on online services which may lead to a compromise.
  • It’s “impossible to categorically attribute an attack to a particular attacker” – there have been many discussions about this point, especially by those who want to attribute an attack to a nation state attacker. Although this point used to be true, due to the fact that attackers may use services which enable them to jump from one IP address to another, to another and another. And an attacker may jump between seven or more IP addresses, and each time they do that it becomes harder to identify with certainty which user on that IP address is the one who initiated the attack. However, with some of today’s technologies and with so many services monitoring traffic it has become easier to be able to identify traffic than it used to be. This doesn’t mean that attribution of an attack is 100% accurate, but it certainly much better than it’s ever been.
  • We’ve just spent a lot of money on an industry leading solution (or provider), so we won’t be attacked now – this misconception overestimates the value of the solution, the solution provider. Further, it underestimates a users’ ability to not introduce vulnerabilities, etc. and how some attack tools get passed controls. Most security controls can help reduce the overall attack surface, but none can eradicate it completely because it is forever changing. Small Organisations should not focus on how much they spend and then assume that they are secure, but more on effective risk management to achieve the level of security they need to protect their most valued assets.
  • Attacks are highly sophisticated – this is a phrase often heard in news reports when a CEO of a large company appears in front of the press. In many cases the phrase is used as a way of covering up the lack of security controls in that organisation; because usually no one can categorically say that the attack was highly sophisticated without a complete investigation. In many public examples of where the phrase has been used, further investigations showed that the attack was due to a lack of controls, often but not always due to the latest software patches or updates not being applied and the attackers taking advantage of that. So, most attacks are not highly sophisticated at all, but down to a breakdown of controls. Which is why cyber hygiene activities like applying software patches can help reduce attacks considerably.
  • Attacks happen during the working day we operate in – often attackers will choose to attack at a time which they know will be most uncomfortable in every way for the victim. Whether the attack is in a different time zone or when you have a major organisational event, once a victim is identified, attackers will attempt to use every resource (and yours) they are able to use to succeed. This means that attacks will often happen when they can’t be easily noticed and or easily responded to or protected.

Most of these misconceptions lead to Small Organisations to not prepare themselves against attacks, due to a false sense of security that they won’t be attacked as they are not a viable target. Attackers starting point for attacks is not necessarily the end organisation, but on their own starting point of what they know about people, their behaviours and or the technologies they use.

Why Learn about Attacks

Small Organisations are busy doing what they set up to do, the last thing any of them need is to have to learn new things that don’t involve providing the service or product they set up to provide. So, the reason we suggest that it may be beneficial for them to learn about attacks is that even at a high-level they can use the basics to reduce the risks of a devastating attack.

With each type of attack, it isn’t important to know all the technical in’s and out’s but more about what behaviours at the human level facilitate the success of that attack, and also what technical controls can be used to identify, detect and respond to that type of attack.

We do not for one minute believe that Small Organisations should all learn everything that needs to be known so that they can better protect themselves, but to learn enough so that they are able to reduce attacker opportunities rather than facilitate them.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from