Who protects small business?
It is interesting to note that in most economies a significant percentage of the national Gross Domestic Product (GDP) is actually generated by small and mid-sized businesses. Why is this relevant to information security you might ask? SANS was recently asked if there are existing providers of IT security services to this market? If not, what would be the prerequisites to starting and running one? My response follows:
"Yes, I am aware of some businesses that provide IT Security services to SOHO, small, and mid-sized organizations. They tend to be rather small themselves and servicing a local area. The skills and certifications they have varies widely from none to quite advanced. Some are extensions of an existing computer repair shop for example that is branching out. Others are
actual IT Security professionals that are attempting to tap into this market area.
I would expect that the skills required would tend to consist of Intrusion Detection, Incident Response, Firewalls,
Anti-Malware, as well as general network and systems security. Certifications might include GCIA, GCIH, GCFW, and other more generic or vendor specific ones.
In my experience most small businesses do not have competent or mature IT support, the probability of them having IT Security is slim to none. The businesses owners might not perceive the threats, or do not believe they can afford to do anything about it.
One of the bigger hurdles such a provider might face is scalability while remaining financially viable."
Which brings us to an important question. If these small businesses are critical to our national economies and ongoing growth, are they adequately protected against attack that may target them? What about collateral damage from bots and other malware? Do they have the people and technologies required to defend their computers, networks, and information assets?
A question to the SANS Internet Storm Center readers is, what can be done for small business?
Please let us know wht you think using the comments below, or the contact form http://isc.sans.edu/contact.html.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December.
Comments
http://www.dynamicnet.net/2012/07/pci-compliance-scans-small-business-gripes/ goes over a growing concern of ours as we see more and more authorized scanning vendors get stuck on issues with either have ZERO (0) real security impact; or, they forget small businesses often operate on limited funds.
In the latter case, they don't look at security impact and the dollars to get there... and being practical gets thrown out the window.
Impractical or too expensive security generally gets thrown out so rather than increasing the security of small businesses, more and more small businesses are just being scared (financially) away from doing the right thing.
Thank you.
DynamicNet
Aug 7th 2012
1 decade ago
yvesk
Aug 7th 2012
1 decade ago
Tim
Aug 7th 2012
1 decade ago
scsmith77
Aug 7th 2012
1 decade ago
With things so slow in the United States and the world for that matter, network security appears to many as a cost, not a value. It is difficult to offer services to those who do not want them now. In other words it is not happening.
As the economy improves (we hope it improves anyway) the small business will once again be a focus of Value Added Resellers who can pick up business of most any size. The problem is not then, but now..
Al of Your Data Center
Aug 7th 2012
1 decade ago
Fred
Aug 7th 2012
1 decade ago
1. Understanding - They often lack the understanding of how critical IT security is to their organization. In most cases, IT is viewed as a sore point with no return of value instead of a business enabler.
2. Obscurity - They always assume that because they're small no one is going to bother them. What they fail to understand is that they are a far more attractive target than a larger organization with security policies and technology in place.
3. Cost - There is rarely a true cost / benefit in their eyes. Security services are another expenditure for organizations that are already on a tight budget.
I'm curious to hear about other challenges that security professionals in this market face.
Todd
ITW094
Aug 8th 2012
1 decade ago
The best : ones that understand the importance of infrastructure and security - we have a budget, an interested employee who I train to look at logs, check backups, patch systems and I check regularly to see all is well. Systems are patched, and upgrades are done.
Others wait until catastrophe strikes, then they come running for help, and we either apply some duct tape, or we do a major round of upgrades and documentation, only to have it all run gradually downhill until the next crisis.
Note that the latter category will spend more on keeping their Mercedes running smoothly than on their IT & security.
carol
Aug 8th 2012
1 decade ago
Kent
Aug 8th 2012
1 decade ago
I want to completely disagree with your comment "I think that most small business owners are much more aware of what must be protected - and will take steps to protect it - than executives at large businesses."
That is complete buffoonery. Yes, I said buffoonery. The issue is not that small and medium business don't understand what's important to protect, the issue is they don't possess the skills necessary to secure those assets. Understanding the keys to your kingdom and what makes an attractive target is important, but anyone can do that. The gap is what's in our wheelhouse: security best practices, logging, auditing, alerting, encrypting, multi-factor auth, layered defenses, on and on... It does no good for a small business owner to know what's a target but then not have any expertise to address it. Without question, every single small business I've been in has inadequate security. Leave security to the experts. InfoSec guys know that even a very talented IT pro will fail when attempting to implement effective security on their own....let alone a small business owner.
Powerman
Aug 8th 2012
1 decade ago