About 540 homes are broken into every day in Australia, yet you’ll never hear about them on the news. It just doesn’t warrant the media’s attention, and people honestly aren’t interested in it. This breach is the digital equivalent of that. It happens all the time and nobody gives a toss.
You’ve probably never heard of Calida Projects, I know I hadn’t. They are a small business in Sydney that does commercial construction services.
Somehow they got on Akira’s radar and breached.
Impact
The impact is isolated to Calida’s business and their customers, which is likely to be a very small percentage of the Australian population.
While not interesting to the general public, these sorts of breaches can still have a large impact on both the business and employees. It can erode customers’ confidence in the business to protect sensitive information and expose employees if HR records are released publicly.
Details
No details to be had at this time. It hasn’t made the news, and there is nothing mentioned on Calida’s website or socials.
Communication
No comms from Calida, so I have emailed them to see if they have a public statement.
Opinion
Small businesses are in a difficult position when it comes to cybersecurity.
- They have a low probability of being a target.
- They are unlikely to get found and don’t have much to steal
- They typically have garbage security, so are easy targets
- Being breached could be fatal, but there is still a chance they could survive the breach.
Risk managers are familiar with this situation. It makes for a very innocuous graph as below.
In business school, they call risks like this “Not worth doing” or “Cant afford it, I’ll take the risk“. Which is precisely what most small businesses do with cybersecurity.
Nothing.
The return for the business of being secure, simply don’t warrant the costs.
Lack Capacity
- Don’t have in house technical skills
- Cant afford the IT security consulting and services
- Don’t have the skills required to manage a breach if it occurs
- Implementing good secure practices would slow them down and frustrate staff
- There is no legal/compliance framework compelling them to adopt a more secure profile
- The chance of being coming up on a ransomware group’s radar is very low. So they are inclined to take the risk.
Willing to gamble
- The impact on their business can be fatal if they lose key clients or get sued
- They don’t have the cashflow required to mitigate a breach with cybersecurity audits, IT remediation and marketing
- They almost certainly can’t afford the ransom
Small business will continue to hope they go unnoticed by malicious actors. If they do get breached, they hope it can be cleaned up before anyone notices.
Sadly, I can’t see this changing any time soon.