Please welcome our newest member from Australia, Norman King! Norman has 25+ years of experience working as a technology professional. As CTO, he has been part of the leadership team at iPartners since the company began operations in 2017. He has overseen the development of …
News Ransomware Gangs Innovate With New Affiliate ModelsDark Reading – Alexander Culafi FBI: US lost record $16.6 billion to cybercrime in 2024BleepingComputer – Sergiu Gatlan Attackers hit security device defects hard in 2024Cyberscoop – Matt Kapko Ripple NPM supply chain attack hunts for private keysThe …
You’d think nation-state cyber attackers would be too busy targeting military secrets, critical infrastructure, or global financial systems to bother with your local optometrist, small engineering firm, or boutique consultancy.
But you’d be wrong.
As Rob Lemos in his recent Dark Reading article “Nation-State Threats Put SMBs in Their Sights” noted, small and medium businesses (SMBs) are increasingly being caught in the crosshairs of nation-state actors. And while that sounds dramatic, it’s not exactly news to those of us who’ve been waving this red flag for a while now.
If you’ve heard me talk about data privacy, sovereignty, or security-by-design, you’ll know this has been a consistent message: Small doesn’t mean safe.
And simple doesn’t mean insignificant.
🐘 The Elephant in the Server Room
Let’s get this out of the way: Most small business owners aren’t waking up thinking about advanced persistent threats. They’re thinking about invoices, customers, staff shortages, or what fresh compliance headache might land in their inbox next.
But that’s precisely what makes them attractive to cyber operatives. Nation-state actors — whether working directly for governments or as aligned proxies — know that many SMBs:
And it’s that last point that’s so often overlooked. Because when a hostile actor wants to breach a major government department or multinational contractor, the front door is usually locked. So they look for a side door.
🕵 The Stepping Stones in the Spy Game
Small businesses aren’t usually attacked because of the data they hold. They’re attacked despite it — or more accurately, because of who they’re connected to.
Think of SMBs as stepping stones across a river. Alone, they may seem easy to overlook. But in the hands of a strategic adversary, they form a precise, quiet path — one that leads straight to critical infrastructure, sensitive government systems, or global defence suppliers.
Nation-state actors know this. They’ll compromise a regional software vendor with government clients. Or a boutique logistics firm that supports infrastructure projects. And then they wait.
This isn’t smash-and-grab ransomware. It’s quiet infiltration. Long-game strategy. And it works.
🧩 But Here’s the Hard Truth (and the Good News)
Small businesses can’t keep outsourcing this risk to someone else. Governments and tech giants have critical roles to play, of course. But SMBs themselves need access to practical, affordable ways to take control of their data.
I know it’s a lot. Many small business owners are already overwhelmed — especially with security solutions that feel designed for enterprises with full SOC teams and million-dollar budgets.
That’s why we designed 3 Steps Data with three very specific principles in mind:
We believe compliance and governance shouldn’t be a scary afterthought — they should come baked in. No back doors. No silent surveillance. No compromises.
🛡 Stop Treating SMBs as Collateral Damage
For too long, small businesses have been treated as unfortunate casualties of cyber warfare — overlooked in policy and underserved by tools.
But the truth is, SMBs are the economy. They’re the innovators, the service providers, the specialists keeping everything running in the background. And they deserve security solutions that match their importance — not just their size.
SMBs need:
🧭 A Final Thought
I’ve said it before, and I’ll keep saying it: Cybersecurity isn’t just a tech issue — it’s a business continuity issue. A trust issue. A sovereignty issue.
So next time someone suggests that nation-state hackers only go after “big targets,” remind them: the path often runs straight through the smallest players.
Let’s stop leaving our smallest businesses to fight off the world’s most resourced attackers with nothing but duct tape and good intentions.
Because when the stepping stones are this exposed,
it’s only a matter of time before someone crosses them.
Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
News Former cyber official targeted by Trump quits company over moveNBC News – Kevin Collier MITRE’s CVE program given last-minute reprieveitNews – Raphael Satter Whistle Blower: Russian Breach of US Data Through DOGENarativ – Zev Shalev Midnight Blizzard deploys GrapeLoader malwareBleepingComputer – Bill Toulas 4chan …
The cybersecurity world runs on shared language. We don’t often talk about it in those terms—but that’s exactly what the CVE (Common Vulnerabilities and Exposures) system is. A global taxonomy of flaws. A universal index of weakness. The quiet backbone that lets defenders coordinate responses …
This is the fourth episode of a story related to individuals who, in a matter of moments, transition from “employees” to “rescuers” in the immediate aftermath of a destructive cyberattack.
What I will call the “Heroes”!
“The problem is that sometimes operations and security don’t go together. You have to serve the business first, which is what makes the company make money. Our mission is to make operations and production work. But on top of that come the security requests. The issue is that we didn’t have the substance or the importance of what this was going to bring us. We know it’s important, but day-to-day activities take precedence..”
Excerpt From the Interview
My book is dedicated to encouraging companies to consider the human aspect in the context of cyber attacks. But coaching has only been part of my professional practice for the past 4 years. For over 25 years now, my career has been centered on helping customers strengthen their data resilience. This scenario is freely inspired by one of my corporate clients …
Typical identification factor: “It only happens to others!”
Once upon a time, there was a company with an exacerbated DNA of self-confidence, where all the energy was devoted to more business, faster, and where the only valuable thing was to say yes to business. Yes at all cost. Moreover, anyone who says no or tries to make sense is eliminated by the organization’s dynamics.
This scenario presents a lose-lose situation for the company. Despite recognizing, at the conscious level, the importance of IT security and attempting to implement a resilience strategy, the resources allotted are insufficient. The initiatives are never completed. Led by its instinct, the company prioritizes business over cybersecurity, creating a paradoxical corporate stance on cybersecurity.
This mindset frustrates those responsible for cyber resilience and embeds the notion that security measures are “costly and time consuming,” inevitably leading to internal conflicts and stress.
A losing scenario is marked by frustration among teams and between management levels due to inconsistencies between stated policies and actual practices. This creates ongoing tension around cybersecurity. Although the IT infrastructure may be effective and efficient, the company’s economic success relies on daily operations with the resources allocated at all costs to serve the client (business first). Thus, the level of cyber resilience ultimately depends on the technical staff’s motivation. Some individuals may prioritize the protection of IT systems over their own well-being and relationships, creating an unhealthy work-life balance that would need rectification.
In the face of an attack, the team’s advanced technical skills will allow for a prompt and effective response. Incident management procedures exist and are generally followed, ensuring a technologically sound reaction. However, underinvestment leads to gaps in the standard protection sequence (identification, protection, detection, response and recovery), which exacerbates both the technical and human impacts. These can range from complete system contamination to data theft and destruction.
To make up for these shortcomings, certain people may choose to become heroes, taking on additional duties and frequently going above and beyond. In contrast, others may hide their previous negligence, further exacerbating the crisis. This dynamic can happen intentionally or unintentionally.
Despite having a response strategy, these disruptions can hinder communication and objective evaluation, resulting in disputes and blunders during the rehabilitation phase.
The more significant the setbacks, the more the need for Heroes will arise. The greater the injuries, the more healing will be necessary. Each stage introduces its own disorder. During the response phase, some individuals may be marginalized and replaced by those who align more closely with management’s perspective. The technical team will execute the decisions with the help of external companies. However, there is no clear understanding of the underlying logic, leading to hesitation and indecision about the strategy. The post-crisis phase of data recovery becomes crucial if it is found that some information has been irreversibly lost. Heroes will embark on a relentless search for THE solution, striving to salvage the situation without considering the political implications.
Another complication that could exacerbate the situation is the ongoing investigation. If it turns out that the attack came from inside, this would trigger an atmosphere of distrust, secrecy, and suspicion.
Communication with customers and subcontractors will also face delays. Due to contradictory reports, there persists a cloud of uncertainty regarding the company’s trustworthiness.
Post-mortem examinations are often designed to protect a company’s image, specifically by hiding specific blunders. While this may initially seem like a deceptive tactic, it can actually enhance the company’s image of resilience. The company chooses not to disclose details of the incident, either internally or externally, in an effort to maintain its dignity.
Our heroes will find it challenging to return to normal. The human resources department will follow established procedures without acknowledging the extraordinary circumstances or the dedication displayed by some, having observed these events from a distance.
Since there is a desire to quickly move on from the incident, our heroes find themselves in a very targeted confrontation with human resources. Dismissive comments include: ‘OK, you’ve done a good job. Thank you! Here’s an extra reward to wrap things up. “Let’s get back to work.”
This response fails to adequately address the situation. Disheartened, the hero reflects on the sacrifices made for such a disappointing outcome.
The fall of the Heroes!
THINGS TO REMEMBER
Inside every company lives a silent tug-of-war: the business wants speed and innovation, security wants caution and control — and somewhere in the middle lies the fine art of staying both fast and safe.
Stay tuned for the next episode.
And don’t forget: “Cyberattacks are like glitter — once they’re in your system, they’re everywhere, and good luck getting rid of them!”
Didier Annet is an Operational & Data Resilience Specialist and a Certified Professional Coach dedicated to empowering individuals and teams to navigate the complexities of an ever-changing digital landscape.
Find him on LinkedIn: Didier Annet
Learn more in his book:
📖 Guide de survie aux cyberattaques en entreprise et à leurs conséquences psychologiques: Que fait-on des Héros ? (French Edition) – Available on Amazon
Coming soon: The English version – “What Happens to Heroes”
Please welcome our newest member from Morocco, Younès Felahi 👋 Younes FELAHI, a recognized cybersecurity expert in Morocco and Africa, has over 15 years of experience in the field. He has held positions as a consultant, architect, and expert in cyber strategies, governance, risk and …
Information Security News Tariffs May Prompt Increase in Global CyberattacksDark Reading – Robert Lemos US Comptroller Cyber ‘Incident’ Compromises Org’s EmailsDark Reading – Kristina Beek Wyden Blocks Trump’s CISA Boss Nominee, Blames Cyber Agency for ‘Actively Hiding Info’ About Telecom InsecurityThe Register – Jessica Lyons …
CyAN 10th Anniversary
(Details TBA)
CyAN Q2 Call (APAC + Gulf)
June 11 – 12:00 GST / 16:00 SGT / 18:00 AEST
CyAN Q2 Call (EMEA + Americas)
June 11 – 20:00 GST / 18:00 CET / 17:00 UTC / 12:00 EDT
📄 Download Feature PDF Want to connect? Here is Fatema Fardan’s professional profile. Feel free to say hello and show your support. 🔗 Connect on LinkedIn About the Author Saba Bagheri, PhD Cyber Threat Intelligence Manager at Bupa APAC Director at the Cybersecurity Advisors Network …
