SMB Security Blues
- TAGS:poor security, small business, SMB
- IT TOPICS:Security
I have worked in a few SMB environments in my career, and I have found that they generally don't focus enough time, energy, and money on IT, much less security. It really depends on the business and their needs, but the majority of them are severely underspending in security. And though I don't like it, it really kinda makes sense. Often times SMB's just don't have the money to pay dedicated resources. Yes, some outsourcing and SaaS companies are making this more accessible to those types of companies, but if the company doesn't have any IT staff to say that they need SaaS or outsourcing, then often times it is up to some sales person to walk through the door or call. And then that sales person has to hope and pray that the person on the phone has the time to talk, can see a legitimate business need so they will allocate the funds, AND be the person that can spend the money.
I am saying all of this because I found this article over at SecurityFocus. The article says that SMB's are basically trying to spend less time and money on security, even though they know that a big attack could wipe them out. When I read that, I really just had to let out a big, good ol' fashioned "duh" for the reasons shown above. And another point in the article is that because the SMB's aren't spending enough on security, they are becoming bigger targets. Again, that really seems like another obvious point. It just makes sense. Big companies still get owned, but if a black hat does the research and discovers that "Mom-and-Pop" has a good bit of cash in the bank because of a recent big sale but has little to no security in place, why not go after them instead of "Big-Honkin'-Company" down the street that has a security staff?
But all of that obvious stuff had to be in the article because the main contributor to the article wanted to say this:
The average company had a single person spending one hour per week on information-security issues, the study found...
"The last thing they should have to worry about is security, and this tells us that, in fact, that is the last thing they are worrying about," he said. "That means that we need to provide these companies with security technology that allows them to only spend an hour a week and still be secure."
That last line is the issue I have with this article. There are so many companies out there that try to sell pipe dreams. Companies in the IT and security markets have been doing it for years. And if you think you can sell a product to an SMB that lets them spend one hour a week on security and still be secure, then I think another crack pipe is on the market. I think what you are going to end up with is a bunch of black hat hackers laughing at you all the way to their bank in Russia.
Like I mentioned earlier, outsourcing and SaaS work well in these environments, and you can definitely outsource your security functions to where employees in the company don't have to work on it. But that is not feasible for a lot of SMB's because of the cost. That is generally a operating cost, and an SMB may not have that much cash flow. But the main point is that someone somewhere is still spending time on security. All you did was transfer the obligation.
I agree that you have to put something in place that makes the process more efficient. That will help an SMB, and it makes sense. But to say that you need to put something place that cuts that time down to one hour a week and still makes the company secure is just not realistic in my mind. And it is irresponsible because it gives a false sense of security.
Free Insider Guide