Skip to content ↓ | Skip to navigation ↓

When retailer Target was hacked in 2013, the damage was so extensive that direct costs exceeded $250 million. To its credit, Target’s external-facing cybersecurity wasn’t too bad; the attack came through a mom-and-pop HVAC vendor with unnecessary access to the retailer’s network.

Smaller enterprises like the HVAC company are often under the illusion that they have no reason to be targeted by a cyberattack. Not only is this blatantly false, as the Target example illustrates, but for firms serving narrow vertical markets, the potential harm from such incidents is magnified.

For instance, consider a law practice that deals almost exclusively in mergers and acquisitions. Why would the firm need anything beyond rudimentary security measures? After all, its network doesn’t store much financial data, and it only maintains personal information on its several dozen attorneys and staff.

How could it possibly be a target? Cybersecurity isn’t necessary unless you’re a nation-wide retailer or a bank, right? Wrong. Hackers make their bones on that very misconception.

As it turns out, if you have something worth selling, you have something worth stealing. In the case of our law firm, the practice is at a heightened risk of a breach because investment-savvy cybercriminals are always on the prowl for the undisclosed details of a merger or acquisition. One leaked email can confirm a deal is pending: a windfall for our hacker-turned insider trader.

So while the data might not be as plentiful or yield the immediate returns that information stolen from a bank might, it’s still valuable. And not only is it valuable, but the “I’m too small to be a target” fallacy makes it easier to steal than from a bank that spends millions on cybersecurity.

This confluence of financial motive and easy access should be alarming not only for small firms but also their customers in the narrow vertical markets that they serve. A medical device manufacturer that focuses on engineering drug infusion pumps for hospitals takes care to secure machinery schematics and other intellectual property stored on its servers, but its interest in cybersecurity stops there.

Once the devices get to hundreds of hospitals nation-wide, the devices’ anachronistic software and security features jeopardize the lives of thousands of patients that interface with their own drug delivery machines.

The effects of breaches on companies serving small verticals are disproportionately severe. In the Target hack, the retailer’s sporting goods customers were just as much affected as its electronics or clothing customers. Fortunately for all of us, there are hundreds of retailers that can sell us those products. But when it comes to medical device manufacturers that can produce and sell internet-enabled drug infusion pumps at scale, the number shrinks considerably smaller.

Therefore, a serious breach at such a company can send shockwaves through the narrow vertical market that it serves, putting a strain on the crucial but often-overlooked gears that drive the modern economy forward.

Fortunately, firms serving niche markets can take concrete, actionable steps to protect themselves and their customers:

Incentivize cybersecurity

Target has billions of dollars in annual revenue, and it can afford its own robust IT and security departments. Most of the companies we’re talking about don’t come close to that, so incentivizing adequate cybersecurity – through tax benefits or even regulation and non-compliance fines – can help smaller enterprises afford, at the very least, a cybersecurity partner that has the expertise and scale necessary to improve security and resiliency.

Threat information sharing

While the idea of sharing information with competitors is an unnatural one, intra-industry intelligence sharing on cyber threats unique to a particular type of vertical has proven effective at forestalling attacks while fostering trust. Medical device manufacturers and hospitals, for instance, should share threat information and best practices so that the producers can build necessary security features into their next generation of products that are responsive to the actual attacks that the hospitals are seeing daily.

Culture reevaluation

A firm serving a small market will typically be small itself. A clerk at a Fortune 500 company probably can’t forward a phishing email to his CEO, but at a small device manufacturer, it’s more likely than not. That means it’s incumbent on every employee to be diligent and exercise good cyber hygiene. And get educated/stay up to date.


A final step in mitigating the cyber risk to firms serving crucial narrow vertical markets is to simply pass off the risk to an insurer. Insurance companies are increasingly getting into the cyber insurance market, and for good reason. Without some indemnification, a serious breach at a small firm could lead to insolvency and send ripples through the narrow market it serves. A little bit of coverage protects not only the company but also the larger economy.


Keith KimmelAbout the Author: After wrapping up a twenty-four-year career in the US Navy as a Director at Navy Cyber Command, Keith Kimmel leaped at the chance to continue working on cyber issues in the private sector. He works around the clock to cultivate strategic partnerships with leading firms in the technology and legal sectors. When he’s not getting crushed at CrossFit, he can be found whitewater kayaking on the Potomac River.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Tripwire University
  • Keith Bishop

    I completely agree with the concept of this article. We all need to protect the cyber-security of our customers.

    However, this author’s major example is false. The hacker’s didn’t come “through a mom-and-pop HVAC vendor with unnecessary access to the retailer’s network.” They came in through Target’s electronic billing portal (They only used the vendor’s credentials to the system). It was Target that unnecessarily left network architecture info
    accessible on that portal that showed how to access the POS system.

    It is almost 3 years later and we are still trying to blame remote access to an HVAC system. I’m not saying that it is theoretically impossible for it to attack a network through a BAS system, but it isn’t what happened here.

  • Great article. We just did a talk about cyber security for startups which are very vulnerable to cyber attacks. Most don’t realize the IP they are working on has a lot of value in the startup world and is sometimes being stolen for competitive advantage.