Are SMBs hiding their heads in the sand, or do they really not have a clue?
Having spent over 20 years in IT and specifically Information Security, working primarily in consulting into the enterprise market, I thought, in the twilight of my career, it might be interesting to see if I could take that expertise and experience and apply it to the small to medium business sector. Primarily those businesses that are heavily reliant on IT and carrying out B2B or retail e-commerce. It has been an interesting ride.
This sector has, in my opinion, been largely ignored for years, with most of the large Infosec companies and consultancies targeting what they consider to be the most profitable clientele. No criticism there, it makes commercial sense. When you've got a high cost base then that's exactly what you need to do. However with growing evidence that SMBs are targeted with increasing frequency, it is time perhaps for the industry and the SMB market to sit up and take notice. Or so I thought.
It is true that attacks in this space do generate a lower return in terms of both publicity and cost, however a hit of say 50K, on a business that has a turn over of just over a million and a margin of around 5 to 8%, can be pretty disastrous. And the one thing that did immediately hit home to me was just how tight some of the margins are in these businesses. This makes them very cost conscious and driving down cost becomes second nature, almost a mantra in some cases. Can't say I blame them.
Just recently an SMB trying to complete a PCI self assessment questionnaire, approached their local IT company, and through them, myself, and asked some very basic questions, so basic in fact that it was quite disturbing. What they wanted was free consultancy, not uncommon I'm afraid. This happens because many SMB IT staff are young, enthusiastic and totally inexperienced, probably selected from the workforce exactly because they are young and, compared to many, IT savvy in the way that the young are. Again, I'm not knocking this, many young people have a lot to offer the industry, but they have to be nurtured, trained and allowed to pick up experience, they can't just be thrown into the deep end and expected to swim.
So with this in mind, it makes sense to me that they need to target their IT spend, and therefore their security spend, wisely and instead of just throwing a firewall at it, they need to actually realise their risk, their vulnerabilities and the threats that look to exploit those vulnerabilities, in order to spend their limited budgets wisely and to maximum effect. Hardly news to us, it's what many of us have been preaching for years.
This being the case, why did I find that it is extremely difficult, but not impossible, to get them to listen. Firstly they are terrified of the word 'consultant'. They liken it to someone who wants to attach a vacuum cleaner to their bank account and suck out as much money as they can. That doesn't need to be true, it just needs to be what they think. Perception can be much more damaging than truth. Secondly they listen to vendors who tell them that their product is the 'solution' they are looking for. This is generally supported by someone in their IT organisation who has a favourite product or vendor, whose products he or she understands and is comfortable with. That person doesn't want to have a bunch of stuff coming in that they don't understand and that might show up deficiencies in their knowledge. We've all had that person in the audience during a pre-sales meeting. Now products have their place, generally as part of a solution which is worked out from a risk treatment plan, rarely if ever is a product a solution in its own right. However if you're are told that you don't need this expensive consultancy to design a solution, all you need is a firewall and a bit of anti-virus for a fraction of the cost, and you are cost averse in the extreme, you are already 75% there.
Now, before all the vendors out there start to take umbrage, I'm not against products, they have their place, in fact, there is significant product placement going on on this forum every day from some notable salesmen that I have known for a lot of years. But these products have to be placed as part of a solution by someone who knows exactly what prioritisation needs to be applied to the risks in order to maximise the spend.
Many SMBs have a local IT company that they have become reliant upon. That IT company will almost certainly be a re-seller of some sort. That IT company will be reluctant to admit that they to have little idea about security and how to apply it. Oh, they know all about firewalls and anti-malware because that's what they sell and install and configure, but they know little about risk management and that the client could probably save money by instituting some simple rules and policies which would plug some significant gaps. What I am finding is that if I can get time with these IT companies and start to educate them and show them that I am not a threat but rather an enhancement to the services they provide, then they will be prepared to introduce you to their clients which gives you the in that otherwise you just won't get.
Partnerships are nothing new in the enterprise, in fact they are pretty common, however in the SMB market they rarely exist, there just isn't room for them. Getting the concept over remains a challenge but one one I am up to. Banging my head against a brick wall is something I've become pretty good at over the years.