Last time we talked about Stryker, the hacker group that hit them, and the uncomfortable truth that they probably weren't chosen so much as they were available. The access existed, someone used it, and a Fortune 500 company spent weeks cleaning up the mess.
Part 2 is where business owners start to get uncomfortable, because this is where we talk about what "available" means for a company like yours.
The most common thing I hear from business owners is some version of "we're not big enough to be a target." And I understand why that feels true. You picture hackers in a war room somewhere, reviewing a list of high-value targets and plotting their next move. If you're not a hospital system or a defense contractor, you're not on the list. You can relax.
Except that's not how most of it works.
The businesses that get hit aren't usually the ones someone spent months researching. They're the ones that were easy to get into. Old software that never got updated. A password an employee used at five different places, one of which got breached years ago. A remote access setup that was cobbled together quickly and never really reviewed. Any of those can become a way in-- and once someone has a way in, it has value whether your business is worth $500 million or $5 million.
Hackers don't pick targets the way you pick a vendor. They find doors that are already open and walk through them.
The other thing that changes the picture: when attackers do go after a larger company and can't get in directly, they look for a side door. That usually means a vendor, a contractor, or a service provider connected to that company-- someone with legitimate access to their systems who maybe hasn't been as careful. If your business works with larger clients, handles their data, or shares any kind of connection to their systems, you can become that side door. You're not the target. You're the way in.
That's a very different kind of exposure than most business owners think about.
So what do the businesses that avoid this look like? Honestly, nothing special. They keep their software updated-- not just the obvious stuff, but the systems nobody thinks about. They make sure employees aren't using the same password for work that they used for the website that got hacked three years ago. They use multi-factor authentication, which is just a fancy way of saying that logging in requires more than just a password. They actually know what their IT situation looks like, because the businesses that get surprised are almost always the ones where nobody was looking.
None of that costs a fortune. None of it requires a dedicated security team. It requires someone paying attention on a regular basis, which is exactly what a good IT provider should be doing for you.
The real cost question is what happens when nobody is. Ransom demands. Lawyers. Notifying your customers that their data was exposed. Downtime while systems get rebuilt. Clients who decide the hassle isn't worth it and go somewhere else. I've seen attackers walk away with enough to buy themselves something very nice, and they bought it by finding a door that someone forgot to lock.
Stryker will recover. They have the resources to. Your business might not have that same cushion, which is exactly why the door needs to be locked before someone finds it-- not after.
If you're not sure what your IT situation actually looks like, that's the first question worth asking your provider. Not "are we secure," because nobody can promise that. Ask them what they're watching, what they're updating, and what happens if something goes wrong. If they have good answers, great. If they hesitate, that's information too.
