At a recent lunch meeting of Wall Street investors, the topic of the day was cybersecurity.  A few of the people in the room had invested in new security technologies, but most were more interested in the inability to slow or stop the attacks that make it into the media.

The Equifax and Marriott breaches – two of the most recent high profile cyberattacks – were still fresh memories and had personally impacted every person in the room. It didn’t take long for the group accustomed to picking apart the business models of companies to get around to a discussion of how do hackers make money and why do they steal the same data over and over again?

This group was no doubt reflective of most executives who lead companies – small and large. They don’t think of hackers has highly organized, sophisticated businesses that operate globally. They are.

IT leaders know their adversaries may be associated with organized crime with a profit motive or they may be affiliated (if not part of) a Nation-State that is more interested in confidential information or disruption.  There is big money in all three endeavors along with significant risks – and the Wall Street group quickly grasped that concept.

But, the jaws dropped when they told the reason behind the repeated attacks: Not your credit or debit card data (although those have value), but your personal information plus passwords. With that simple information that just about every company keeps, attackers can wreak havoc using automated tools.

One of the most simple and prevalent attack vectors is “credential stuffing.” Using simple programs that don’t require much technical skill, a hacker can load entire lists of contact information and passwords obtained from a data breach to seek and access other accounts with the same credentials. Since most people use the same password for multiple accounts, the odds are in a hacker’s favor they will find online banking, credit card accounts, or business information that can be exploited.

Use a credential stuffing attack to access a business account, and a hacker can find their way from one company’s system to another, extracting valuable data as they go. It’s that last part that keeps hackers coming back for more.  People change their passwords, so a password file with updates becomes valuable. People move, so an address file becomes valuable. And so on. More data means more attacks. More attacks translate into more data to sell.

Small and medium businesses are the least prepared and most vulnerable to these type of attacks for the same reasons the Wall Street group was surprised at the real motivation of hackers.  SMBs don’t think they are big enough or their information is not valuable enough to make them a target, according to the National Small Business Association.

Nothing could be further from the truth.