Infosec Cutbacks in the SMB Arena
McAfee recently conducted a information security survey of 100 small and medium-sized companies in nine countries. Seventy-one percent of the respondents said that they believed that a data extrusion incident could result in their companies going out of business, yet three-quarters of those surveyed reported their that information security budgets had been reduced or frozen. Twenty percent of the respondents said that their companies had suffered a data extrusion incident within the last year and that the average cost of security incidents was $41,000. Finally, two-thirds of the survey participants reported that they devoted fewer than three hours each week to information security-related activity.
The results of this survey highlight a problem that seldom comes to light—the state of security in the small and medium-sized business arena. We often hear of security breaches, particularly data security breaches, with in Fortune 500 companies, but seldom hear of incidents within smaller companies.
If I were a member of the black hat community, I am not sure how I would view opportunities to launch attacks against smaller businesses. I suspect that the odds of successfully attacking these entities are high and that the probability of being detected, let alone being prosecuted by law enforcement, are very low. But simply getting away with successful attacks is not much of a goal. What would the potential gain be in terms of theft of intellectual property, ability to manipulate the payroll, being able to initiate bogus financial transactions, and so forth? Again, I suspect that there would be less to gain than with larger organizations. All things considered, therefore, smaller businesses may not be all that much of a target to attackers.
But this does not mean that no attacks against organizations within the SMB arena will occur, nor does it mean that when an attack is successful, it will not have much impact upon smaller companies. Consider, for example, what happened as a result of Hurricane Katrina. A disproportionate number of smaller businesses were never able to resume normal operations afterwards, causing them to go out of business. And the fact that 70 percent of the businesses in the McAfee survey said that one data security breach might be all that is needed to put their companies out of business is very noteworthy in this regard.
So where should a smaller company start in getting some kind of reasonable information security risk management effort in place? We are constantly told that we as information security professionals must “tone at the top” if we are going to be successful, but in smaller organizations, organizational charts are incredibly shallow. I hope I am wrong, but I suspect that in a smaller organization, a few “heros for security,” people who start doing the right things for the sake of security without much if any backing or mandate, will be more likely to make a positive impact than anything else (provided, of course, that what they do is mostly transparent to users and does not cost much). So, for example, a system administrator might start to systematically install patches for critical vulnerabilities in a timely manner and might also implement a few, non-expensive network security measures such as a low-end appliance firewall for Web applications. But this system administrator would have to know what to do first, and chances are this person will not receive any kind of training because of lack of security budgets in such organizations. So the SMB arena is likely to continue to be like skaters who wander out to thin ice on a lake in the winter when it comes to information security risk management.