"I'm just a hairdresser – who would ever want to hack me?"
Cybersecurity professionals like myself get asked variations of this question all the time. It seems common sense that no-one would bother to hack a small high street hairdresser with just a handful of staff.
However, if you think about the question more deeply, there are many reasons why even small businesses may be hacked. Threat actors vary by company, location, size, type, sector and another important consideration: supply chain.
Automated attacks
A vast number of cyber attacks, from over a decade ago until the present day, are completely automated. Someone sets up a tool that goes after a WordPress vulnerability and it goes out scanning a massive range of public IP addresses.
If you look at any websites access log, you will see various attacks, trying to attack software which is not even present. The automated script will get lucky occasionally.
Masking identity/proxy
If you ask an ex-black hat hacker who would want to hack a hairdresser, they will tell you one main reason: to hide their identity when they hack the real target.
Instead of using a paid VPN or proxy service, which could be corroborated back to the true IP, you can bounce the attack through many zombie servers. Hack random targets and use SSH tunnelling to confuse so it looks like x company hacked you.
Ransomware
Ransomware has been used to target companies and organisations of all sizes, including the NHS, large American finance firms, sheriff’s departments, and (yes) hairdressers.
Cryptocurrency mining
I have seen this personally going after FTSE 100s website infrastructure.
Banking trojans
Every firm has a bank account. Malware can be used to capture logins and pinch money.
Client records
Can involve spear-phishing, more general phishing, identity theft or the request of phoney invoices to be paid.
Staff records
In addition to the motives above, staff records can be used to find out where someone lives in order to burgle their house.
Supply chain
Imagine the hairdresser offers services to Claridge's hotel – them the hackers could gain information on UHNWI clients. Let's look at two quick scenarios to better illustrate the value of hacking a small constituent of a larger supply chain:
An aerospace engineering manufacturer:
The company supplies Boeing and Airbus (which isn't giving much away since they have thousands of suppliers). They make parts for engines and sell them directly. Boeing and Airbus have a massive supply chain and perhaps the company in question has new design plans to steal, or how about the designs to the end part so someone could make it cheaper?
Multinational property management firm
They own property globally and rent out floors and offices. All the properties are known to the public and you cannot remotely steal a building. The main target then is cash, and this company has tonnes of it! They get heaps of emails requesting a money transfer to fictitious suppliers. It only takes a few to get through the spam filter for criminals' payday.
Try one of our courses:
Cyber Security – An Introduction
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

Graeme Batsman
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
If you don't take control, your remote-working teams may be putting your IT infrastructure at risk of hacking or loss of data…
29 May 202011 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Keep your company and personal details safe while working from home. QA Cyber Security Technical Consultant Graeme Batsman of…
23 March 2020Hostile reconnaissance: What is it and how do we stay safe?
Shhh! Cyber attackers often use hostile reconnaissance in the physical world to find a way into an organisation. So what is h…
29 January 2020My partner is a landscape gardener – who would want to hack me?
You may think your small business would not be interesting to global cyber crooks. But you may have a client or supplier who…
29 January 20207 cybersecurity tips for wedding photographers – or anyone, really
QA Cyber Security Technical Consultant Graeme Batsman looks at why cybersecurity is important for photographers, especially t…
29 January 2020Cyber Security for everyone - what we all should know
In May the security of the official Sussex’s wedding photographers was breached, and private photos were released. This highl…
05 September 2019Cyber Attacks - Most of them are not as high-tech as you'd think
Hackers have a reputation for using complex technical means to gain unauthorised access to digital systems. However, low-tech…
05 September 2019Cyber risks are too often ignored by management
Project Managers and top management need a better security understanding to allocate resources and to sign off technical risk…
14 November 2017Rise and Fall of Bitcoin
With the popularity and value of crypto currencies growing, so do the security and anonymity concerns.
01 February 2018Endpoint and network firewalling needs to change
QA Cyber Security Trainer, Graeme Batsman, discusses how you need to focus on outbound as much as (or more than) inbound rule…
03 April 2018