Even before the economic downturn, cost and complexity of security
were major pain points for businesses. Companies just want security issues to go away. This mindset is especially true for SMBs, which lack the resources and skills of large enterprises, and therefore have a harder time gaining control over their security posture.
Additionally, the interconnectedness of the networked economy means that SMBs are facing a myriad of security issues that simply did not exist five years ago. New realities such as globalization, evolving threats, increasing compliance demands and new technologies also present new challenges and more risks. While managing risk is difficult for all businesses, it tends to be more difficult in smaller environments, where there is less expertise to help mitigate it.
One clear example is in compliance spending. Businesses of all sizes have to comply with the latest PCI compliance standards. For smaller companies, that can be a substantial financial burden without guarantees for increased security. Many times we find SMBs spend all of their resources just meeting compliance before even contemplating security.
While compliance with accepted government and industry regulations is required, it is not a blueprint for security. Measures like PCI compliance are merely an accepted guideline for minimum standards. Because the threat evolves, often in reaction to published compliance standards, it may take years before standards catch up to the threat. Therefore, companies must run routine checks to make sure they are effectively deploying all of their point solutions.
The Five Laws
Because often times SMBs do not see the big picture, many tend to ignore the five immutable laws of SMB security, which are:
1. Small is not invisible.
Many SMB owners believe they are safe because they're too small to be interesting to cybercriminal organizations. Nothing could be further from the truth. Cybercriminals target SMBs because they are easier to penetrate than large businesses. Some intruders successfully penetrate SMBs for years at a time before being detected, quietly siphoning off valuable information.
2. It's not about threats. It's about security.
Too often, SMBs focus on specific threats and not the "big picture" about protecting their businesses. There's more to security than firewalls and intrusion protection devices. Too often SMBs can fall into a classic trap by responding to individual threats with knee-jerk reactions rather than examining their entire security stance.
3. Know what you need to protect.
Every SMB has a unique environment, and with that will have unique security vulnerabilities. SMBs must understand the risks in their environment before they can effectively protect against them. The best way to do this is to work with a professional risk assessment team. This assessment will tell SMBs exactly what their risks are, and how they can take steps mitigate against them. (continued...)