The Myth of the "Small Target"
"We are a small Hong Kong firm. Why would a hacker in Eastern Europe care about our data? We aren't HSBC or the HK Government."
If you have ever said this, you are falling for the most dangerous lie in cybersecurity. Hackers do not usually start their day by picking a specific "famous" company to attack. In fact, for most cybercriminals, the process is much more like a predator hunting in a forest—they don't look for the strongest animal; they look for the one with the limp.
Understanding how hackers choose their targets is the first step in making your company invisible to them. Here is the cold, hard logic behind how the "shortlist" is created.
1. The Agitation: Hackers are Lazy and ROI-Driven
Cybercrime is a multi-billion dollar business. Like any business, hackers care about Return on Investment (ROI). They want the maximum amount of money for the minimum amount of effort.
If they have to spend six months trying to crack the 24/7 security team of a major bank, their ROI is low. But if they can use a script to find 500 small-to-medium enterprises (SMEs) with an unpatched VPN or an open RDP port, they can attack all of them at once.
In the eyes of a hacker, your company is not a "name"; you are an "IP address with a vulnerability." If your digital front door is unlocked, you have just volunteered to be their next target.
2. The Tool: How They Find You (The Digital Neighborhood Watch)
Hackers use automated scanners like Shodan, Censys, and specialized botnets to "knock on every door" on the internet.
--- They aren't looking for "Your Company Ltd."
--- They are looking for "Any server running Windows Server 2012."
--- They are looking for "Any Fortinet VPN that hasn't been updated since last month."
Within minutes, a hacker can generate a list of 5,000 companies globally—including many in Hong Kong—that have a specific, exploitable hole. Once you appear on that list, the "attack" has already begun.
3. The Industry Factor: High Pressure = High Payout
While any company is a target, hackers do prioritize industries that cannot afford a single hour of downtime. This is why we see a surge in attacks on:
--- [1] Logistics and Shipping: In a hub like Hong Kong, if a logistics firm’s systems go down, ships don't move and warehouses stop. Hackers know these firms are more likely to pay a ransom quickly to get back to work.
--- [2] Law Firms and Accountants: These firms hold sensitive client data but often have "part-time" IT security. Hackers use the threat of a data leak (PDPO violations) as a massive lever for extortion.
--- [3] Healthcare: Patient lives depend on data access. This "high stakes" environment makes them a "Premium Target."
4. Initial Access Brokers: The "Middlemen" of Crime
There is a whole economy in the dark web dedicated to "Initial Access Brokers" (IABs). These are hackers who specialize only in breaking into a network and then selling that access to others.
An IAB might find a way into your Hong Kong office via a weak employee password. They won't steal anything. Instead, they will post on an underground forum: "Access to HK Construction Firm, $20M revenue, Global Admin rights. Price: $2,000."
A ransomware group buys that access, and 24 hours later, your files are encrypted. You weren't "chosen" by the ransomware group; you were "bought" like a commodity.
5. Tutorial: How to Get Your Company Off the "Shortlist"
To stay safe, you don't need to be "unhackable"; you just need to be more expensive to attack than the company next door.
--- [1] Hide Your Management Ports: Close your RDP (3389) and SSH (22) ports to the public internet. If a hacker’s scanner can't see an open door, they move to the next IP address.
--- [2] Patch Within 48 Hours: When a "Critical" patch is released for your VPN or Firewall, hackers start scanning for unpatched versions within hours. If you patch quickly, you disappear from their "Target List."
--- [3] Attack Surface Management (ASM): Use tools that show you what the hackers see. If you have a forgotten "Test Server" sitting in a corner of your cloud, a hacker will find it. You need to see it first.
--- [4] Implement Multi-Factor Authentication (MFA): 80% of "Initial Access" is gained through stolen passwords. MFA makes your company "unattractive" to IABs because it requires too much work to bypass.
Don't Be the Easiest Target
Hackers don't choose companies based on prestige; they choose them based on opportunity. By closing your technical gaps and maintaining a proactive defense, you make your company an "unprofitable" target.
Is your company currently visible on a hacker’s "Shortlist"? Contact our team for a Free External Attack Surface Scan to see exactly what a hacker sees when they look at your business.
🛡️ Ready to Strengthen Your Security?
UD is a trusted Managed Security Service Provider (MSSP)
With 20+ years of experience, delivering solutions to 50,000+ enterprises
Offering Pentest, Vulnerability Scan, SRAA, and a full suite of cybersecurity services to protect modern businesses
