You're not worth a hacker targeting. Sorry.

I hear this a lot.

• “I run a small bookshop …”
• “I manage a local parish …”
• “I’m a freelance designer …”
• “I only use my computer for email and Facebook …”

“… there’s nothing here for a hacker. I’m not worth hacking.”

It’s a reasonable thing to think. You don’t have millions of credit cards on file. You don’t have state secrets. I’m afraid it doesn’t matter.

The automated nature of it all

The first problem is that you’re imagining hackers as people. Serious people with plans. Sitting in dark rooms deciding which organisations deserve their time. That does happen. But it’s probably not happening to your small business right now.

Most “hackers” today are scripts. Mass-scale, automated scanners that trawl the internet for anything that looks remotely vulnerable. These scanners don’t care about your annual turnover.

They just see an open door.

If your server is running old software with known vulnerabilities, the scanner doesn’t ask “is this important?”. It just locks on, breaks in, and installs whatever the person who wrote the script tells it to install.

It happens at 3 AM on a Sunday. You don’t even know it’s happened until someone asks why the website is down.

They don’t want your data. They want your trust.

The second problem is that they usually aren’t trying to steal from you. They’re trying to use you.

Most small organisations don’t have the kind of sensitive data a financial institution might have. So the hackers don’t target you for your database. They target you for your email.

Your email address, your Facebook page, your newsletter has years of trust built up inside it.

If a hacker gets into your email and sends a message that looks like you, asking your congregation to donate to a good cause people will trust it. Maybe not everyone, but enough people that it matters.

Because it’s from you.

This is how charities lose their entire operating budget on a Tuesday afternoon. This is how plumbers send invoices to clients, only for the money to disappear into an offshore account controlled by someone they’ve never met.

You’re not the target. You’re the doorway.

Even if it’s just an afterthought

And then, even if your organisation has absolutely nothing of value - no money, no members, no reputation to exploit - your machine is still useful.

Once they find it, they turn it into a “bot”. Your machine becomes a cog in a much larger machine, used to attack other people.

Or maybe they extort you with ransomware. You probably don’t have the ability to pay them, but they might as well try at this point.

It’s not a personal thing - and that is the problem.

What to actually do

You don’t need to spend thousands on security suites and complex configurations.

You just need to do the obvious stuff. Consistently.

1. Update everything

When your operating system asks to restart, do it. When a piece of software asks to update, update it. Most of these scanners exploit holes that were closed months ago. Ignoring updates is like leaving your front door wide open so the automated courier doesn’t have to knock.

2. Use a password manager

If you are trying to remember your passwords, you’re doing it wrong. A good password manager is wonderful. It makes you more secure AND makes your life easier. It’s literally win-win.

I normally point people towards Bitwarden . It’s free for personal use, it’s been scrutinised by experts for years and it’s very easy to get started.

I plan on writing a post soon about password managers so keep an eye out for that.

3. Set up 2FA

Two factor authentication (2FA) is the proverbial second lock. After entering your password, an app on your phone (normally) will generate a code. This ensures that to log in, you need to know both your password, and have possession of your phone (two factors). If someone somehow gets your password, they still can’t get in. If you haven’t already done so, go and set it up on your email account now. Then on other services as soon as you can.

Most people reading this should probably just use app based 2FA. You can buy hardware tokens with fingerprint readers and fancy cryptography if you want, but a reputable app is fine for most people. Try and avoid SMS or email based if you can though.

4. Keep a backup

If an attack gets through, a backup is what makes the difference between “annoying” and “I’m closing the shop”.

Then make another backup. Then try and restore from them.

The takeaway

As a small company, you’re probably right that you’re not important enough for a skilled attacker to devote lots of their time to.

But in a world full of automated software scanning billions of devices for weak points, “not important” just doesn’t matter.

Hackers aren’t hacking you because you’re valuable. They’re hacking you because you’re there, and you’ve left the front door unlocked. They’re on autopilot.

And even if you have nothing of value stored for a hacker to steal, you need to care because the people who trust you might.