Please welcome our newest member from Australia, Norman King! Norman has 25+ years of experience working as a technology professional. As CTO, he has been part of the leadership team at iPartners since the company began operations in 2017. He has overseen the development of …
News Ransomware Gangs Innovate With New Affiliate ModelsDark Reading – Alexander Culafi FBI: US lost record $16.6 billion to cybercrime in 2024BleepingComputer – Sergiu Gatlan Attackers hit security device defects hard in 2024Cyberscoop – Matt Kapko Ripple NPM supply chain attack hunts for private keysThe …
You’d think nation-state cyber attackers would be too busy targeting military secrets, critical infrastructure, or global financial systems to bother with your local optometrist, small engineering firm, or boutique consultancy.
But you’d be wrong.
As Rob Lemos in his recent Dark Reading article “Nation-State Threats Put SMBs in Their Sights” noted, small and medium businesses (SMBs) are increasingly being caught in the crosshairs of nation-state actors. And while that sounds dramatic, it’s not exactly news to those of us who’ve been waving this red flag for a while now.
If you’ve heard me talk about data privacy, sovereignty, or security-by-design, you’ll know this has been a consistent message: Small doesn’t mean safe.
And simple doesn’t mean insignificant.
🐘 The Elephant in the Server Room
Let’s get this out of the way: Most small business owners aren’t waking up thinking about advanced persistent threats. They’re thinking about invoices, customers, staff shortages, or what fresh compliance headache might land in their inbox next.
But that’s precisely what makes them attractive to cyber operatives. Nation-state actors — whether working directly for governments or as aligned proxies — know that many SMBs:
And it’s that last point that’s so often overlooked. Because when a hostile actor wants to breach a major government department or multinational contractor, the front door is usually locked. So they look for a side door.
🕵 The Stepping Stones in the Spy Game
Small businesses aren’t usually attacked because of the data they hold. They’re attacked despite it — or more accurately, because of who they’re connected to.
Think of SMBs as stepping stones across a river. Alone, they may seem easy to overlook. But in the hands of a strategic adversary, they form a precise, quiet path — one that leads straight to critical infrastructure, sensitive government systems, or global defence suppliers.
Nation-state actors know this. They’ll compromise a regional software vendor with government clients. Or a boutique logistics firm that supports infrastructure projects. And then they wait.
This isn’t smash-and-grab ransomware. It’s quiet infiltration. Long-game strategy. And it works.
🧩 But Here’s the Hard Truth (and the Good News)
Small businesses can’t keep outsourcing this risk to someone else. Governments and tech giants have critical roles to play, of course. But SMBs themselves need access to practical, affordable ways to take control of their data.
I know it’s a lot. Many small business owners are already overwhelmed — especially with security solutions that feel designed for enterprises with full SOC teams and million-dollar budgets.
That’s why we designed 3 Steps Data with three very specific principles in mind:
We believe compliance and governance shouldn’t be a scary afterthought — they should come baked in. No back doors. No silent surveillance. No compromises.
🛡 Stop Treating SMBs as Collateral Damage
For too long, small businesses have been treated as unfortunate casualties of cyber warfare — overlooked in policy and underserved by tools.
But the truth is, SMBs are the economy. They’re the innovators, the service providers, the specialists keeping everything running in the background. And they deserve security solutions that match their importance — not just their size.
SMBs need:
🧭 A Final Thought
I’ve said it before, and I’ll keep saying it: Cybersecurity isn’t just a tech issue — it’s a business continuity issue. A trust issue. A sovereignty issue.
So next time someone suggests that nation-state hackers only go after “big targets,” remind them: the path often runs straight through the smallest players.
Let’s stop leaving our smallest businesses to fight off the world’s most resourced attackers with nothing but duct tape and good intentions.
Because when the stepping stones are this exposed,
it’s only a matter of time before someone crosses them.
Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
News Former cyber official targeted by Trump quits company over moveNBC News – Kevin Collier MITRE’s CVE program given last-minute reprieveitNews – Raphael Satter Whistle Blower: Russian Breach of US Data Through DOGENarativ – Zev Shalev Midnight Blizzard deploys GrapeLoader malwareBleepingComputer – Bill Toulas 4chan …
The cybersecurity world runs on shared language.
We don’t often talk about it in those terms—but that’s exactly what the CVE (Common Vulnerabilities and Exposures) system is. A global taxonomy of flaws. A universal index of weakness. The quiet backbone that lets defenders coordinate responses in a coherent, time-sensitive, and standardised way.
This week, we almost lost it.
MITRE, the U.S. non-profit that has maintained the CVE database for the past 25 years, issued a warning: without urgent financial support, the program might have to shut down. For a moment, it looked like a cornerstone of global cyber defence could vanish not due to compromise, but because the funding simply… ran out.
In breaking news, that immediate crisis has been averted. MITRE’s contract has been extended by CISA (the US Cybersecurity and Infrastructure Security Agency)—giving the CVE program a last-minute reprieve.
But let’s be very clear: contract extended or not, if the stability of cybersecurity is dependent upon a single point of failure like the CVE program, then we were doing something wrong all along.
This isn’t just a funding story. It’s a governance failure. And a warning.
Think of CVEs like ISBN numbers for cybersecurity. Each known vulnerability gets a unique ID, a descriptor, and references to public advisories. This makes it possible for security vendors, IT teams, researchers, and regulators across the globe to talk about the same issue using the same label.
Without it, we’d see:
It’s one of the few places where the global cyber ecosystem has reached consensus.
And unlike, say, the metric system or date formatting conventions—which still spark furious debate—this agreed shared language is not just helpful, it’s vital.
Because ultimately, this isn’t about playing antics with semantics. It’s about enabling defenders to move fast, speak clearly, and act decisively—before the attackers do.
The CVE system underpins millions of software and hardware interactions. It’s built into everything from vulnerability scanners and SIEM tools, to third-party risk assessments and government guidance.
So when that structure comes under threat—even temporarily—the ripple effect is massive.
Yes, the CVE program is managed by a U.S. organisation, and yes, it’s historically funded through U.S. government contracts. But its reach is global. Cyber agencies across Australia, the EU, Singapore, Canada, the UK, and beyond rely on CVE-tagged data. Threat intelligence feeds are stitched together with CVEs as the reference point. Vulnerability disclosure laws, public alerts, and national security advisories depend on them.
It’s one of the rare areas where governments, private sector actors, and researchers use the same dictionary. If it vanishes, we don’t just lose convenience—we lose coordination. And in cyber, that costs time. And time costs everything.
The private sector benefits enormously from the CVE system. Many vendors submit vulnerabilities for cataloguing. Yet few have contributed meaningfully to its upkeep.
Governments reference it in policies and standards, but the funding model remains opaque, fragile, and U.S.-centric. What this moment exposed is a critical gap in global cyber infrastructure planning: we’ve built the digital equivalent of a universal translator—and expected someone else to maintain it.
There’s a real opportunity here to rethink that. Whether it’s through an international funding consortium, a public-private stewardship model, or formal multilateral support, we need to treat the CVE program like the critical infrastructure it is—not an afterthought.
Make no mistake: unless the underlying governance and funding structures change, there will be a next time.
If the CVE system shuts down or is significantly degraded, we can expect:
This isn’t just about one program or one week of funding uncertainty. It’s about resilience.
We can’t claim to be building trusted systems on a global scale while relying on legacy contracts, underfunded nonprofits, and hope.
Cybersecurity isn’t just about stopping breaches. It’s about building structures that can hold when the unexpected happens. And if something as essential as the CVE program can be taken to the brink so easily, we have to ask ourselves: what else have we built on sand?
We dodged a bullet this time; but maybe it’s time we stopped handing out ammunition in the first place.
Thanks for reading. If you’re in business, policy, or cyber, let this moment be your reminder: foundational systems matter. They don’t need bells and whistles—they need stability. And sometimes, the most important things are the ones quietly holding everything else together.
Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
The Psychological Impacts of Cyberattacks This is the fourth episode of a story related to individuals who, in a matter of moments, transition from “employees” to “rescuers” in the immediate aftermath of a destructive cyberattack. What I will call the “Heroes”! Let’s Rewrite the Story …
Please welcome our newest member from Morocco, Younès Felahi 👋
Younes FELAHI, a recognized cybersecurity expert in Morocco and Africa, has over 15 years of experience in the field. He has held positions as a consultant, architect, and expert in cyber strategies, governance, risk and compliance, cyber architecture, SOC activity structuring, and management of detection and response programs.
After successful experiences as CISO and Cybersecurity Director, he currently serves as Chief Information Security Officer within the BMCI Group BNP PARIBAS.
We are thrilled to have Younès join CyAN and look forward to the expertise and leadership he brings to our community.
Please join us in welcoming Younès Felahi to our network!
Information Security News Tariffs May Prompt Increase in Global CyberattacksDark Reading – Robert Lemos US Comptroller Cyber ‘Incident’ Compromises Org’s EmailsDark Reading – Kristina Beek Wyden Blocks Trump’s CISA Boss Nominee, Blames Cyber Agency for ‘Actively Hiding Info’ About Telecom InsecurityThe Register – Jessica Lyons …
