SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 6 - 11 minutes)

How Attackers Get to You


SaRB for SMOs Action Info

Security Management Group

Replace This Image

Attackers have been getting into large and small organisations for many years, and every week we read about all the breaches that could not be hidden from the public. Today we look at what Small Organisations may do in particular that makes it easier for attackers to get into their Organisation.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.



We have recently looked at the different types of attackers, the different types of attacks that each of them use, then the growing attack surface of Small Organisation, and in the last episode we looked at what it is that attackers are after. Next week we will be concluding this grouped topic with an introduction to protection controls, but before we get into that, in this episode we are looking at how attackers get into an organisation. What are the various attack points they target and why, what makes them choose particular ones, and what can be done to reduce the risks of attack into those points?

But first as usual, we are going to start with what Small Organisations do that makes it easier for the attackers, and as usual, in many cases it starts with a lack of understanding.

Default sample awareness and knowledge infographic

What SMOs Misunderstand about How Attackers Get In

Boards and staff in Small Organisations often have at the back of their minds that they could be attacked, but because they may lack the awareness, knowledge and experience, it is often not at the front of their minds to protect their organisation. Here are some of the things to remember about the misunderstandings attackers may rely on, to get into your organisation.

  • Many Smaller Organisations assume that attackers sit behind computers all the time and only target technology entry points every time. This is not true, we know and have given examples of criminals who will call up organisations on a phone list and pretend they are calling from a supplier like an ISP, or Microsoft and say that there is malware coming from the organisation and ask them to check their registry to confirm something and then get the victim to install a fix, which is actually malware. And the starting point of the malware infection is actually something not technical at all. Later, we will look at different points of attacks.
  • One of the important aspects about Small Organisations that attackers may rely on in their attacks, is the willingness of SMOs to go after all new business with great eagerness without asking questions. Attackers rely on good customer care in asking lots of questions which will enable them to build a picture of the organisation to help them attack it. Attackers may use various social engineering techniques (otherwise known as lies) to paint a picture that they are a prospective customer, and that they need further information to explore this possibility. They will ask similar sort of questions, but they may identify concerns and ask follow-up questions, and it is probably these answers that they are really after. But the objective can be any anything from as simple as confirming the name of who they should focus their attack on, to confirming an email address to send a phishing email to.
  • This poses a real challenge for Small Organisations in providing the best customer service to compete with competitors and larger suppliers. Depending on the industry sector, there may be a norm to not verify the customer is the sort of customer they are looking to take on, and any questioning may put the customer right off.
  • The trust element often plays a big part in an attacker’s arsenal – the reason trust can so easily be abused in examples of giving away too much information to anyone calling customer services, may often be due to Small Organisations not understanding they type of customer they want and the questions that should be collated to help identify how best to help the customer. These questions may include asking for organisation name, contact details, etc. However, these may not always be real, even though they are provided, whether it is via phone, web form, email or any other point of enquiry.
  • Trust is easy to exploit whether it is pretending to be your organisation to perpetrate an attack on another organisation or pretending to be from another trusted organisation when communicating to your organisation. Emails, SMS messages, website pages, phone numbers may be spoofed to appear as a trusted organisation.
  • Smaller Organisations often don’t consider all cyber risks and threats to their organisation. There are a greater number of attack points than there are types of attacks – which we covered recently, when looking into attacks and the threat landscape. The various points of attack are all related to the actual the final asset that is being targeted together with how they intend to monetise the asset and their own techniques for getting to the asset. For example, if the intention is to collate email lists for self-use and or selling to others, the attacker may either purchase the list from another third-party first and then start adding to that list over time and test the list in terms of who responds and which emails are no longer valid, etc. This will also determine the quality of the list in terms of who are decision-makers and who always reads emails and who uses spam filters, who reads the message using which applications. Because all of these factors are targeting factors for attacker target-market segmentation. For example, if the attackers are targeting an organisation’s technology infrastructure, they will want to send messages to any responsible for those services, and not the sales or marketing person.
  • The assumption of trust in most operational activities, in everything from answering an enquiry, to visiting a website, many Smaller Organisations may not have the awareness to train their staff on security awareness issues to filter out the latest types of attacks. That element of trust in Covid payment emails to small organisations could have got many infected with malware, or giving up their bank account details, or other details. The trust that they would only be receiving such emails if they were entitled to receive such payments, and that the emails is from a government body, especially at a time when they need the cash puts them in a position that they don’t question very much.

As we mentioned in our episode on the Small Organisation Attack Surface, it is forever getting broader, and in some respects too broad for the average Small Organisation to understand the impact of its breadth. This is why cyber risk management is not a static activity, but one that is manageable if approached correctly.

Groups of Points-of-Attack Targets

Types of target groups attackers will try to exploit include the following:

  • People – people are often the gatekeepers to resources, whether the resources are bank accounts to actual cash, or control of resources which can be monetised. Earlier we gave examples of a few roles people have that are sometimes targeted, we’ll go into these in more detail later.
  • Processes – these are often put into place for successful and consistent operations, however if they are ill thought out, they can be open to abuse by attackers. We’ve already mentioned a couple of processes earlier, and we’ll go into more details with a few others later.
  • Technology – this target group is the one that most people think about when they think about attacks, however, it can be the starting or end point of an attack, we explore in more detail later.

These three groups are the areas that security controls often attempt to target in terms of layering the right combination of controls to achieve balanced layered approach to managing risks.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from