Who protects small business?

Published: 2012-08-07
Last Updated: 2012-08-07 19:24:51 UTC
by Adrien de Beaupre (Version: 1)
22 comment(s)

It is interesting to note that in most economies a significant percentage of the national Gross Domestic Product (GDP) is actually generated by small and mid-sized businesses. Why is this relevant to information security you might ask? SANS was recently asked if there are existing providers of IT security services to this market? If not, what would be the prerequisites to starting and running one? My response follows:

"Yes, I am aware of some businesses that provide IT Security services to SOHO, small, and mid-sized organizations. They tend to be rather small themselves and servicing a local area. The skills and certifications they have varies widely from none to quite advanced. Some are extensions of an existing computer repair shop for example that is branching out. Others are
actual IT Security professionals that are attempting to tap into this market area.

I would expect that the skills required would tend to consist of Intrusion Detection, Incident Response, Firewalls,
Anti-Malware, as well as general network and systems security. Certifications might include GCIA, GCIH, GCFW, and other more generic or vendor specific ones.

In my experience most small businesses do not have competent or mature IT support, the probability of them having IT Security is slim to none. The businesses owners might not perceive the threats, or do not believe they can afford to do anything about it.

One of the bigger hurdles such a provider might face is scalability while remaining financially viable."

Which brings us to an important question. If these small businesses are critical to our national economies and ongoing growth, are they adequately protected against attack that may target them? What about collateral damage from bots and other malware? Do they have the people and technologies required to defend their computers, networks, and information assets?

A question to the SANS Internet Storm Center readers is, what can be done for small business?

Please let us know wht you think using the comments below, or the contact form http://isc.sans.edu/contact.html.

Adrien de Beaupré
Intru-shun.ca Inc.

I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December.


22 comment(s)


Good questions, and we try to do our part with our customers, potential customers, and public at large by publishing security related articles at http://www.dynamicnet.net/blog/

http://www.dynamicnet.net/2012/07/pci-compliance-scans-small-business-gripes/ goes over a growing concern of ours as we see more and more authorized scanning vendors get stuck on issues with either have ZERO (0) real security impact; or, they forget small businesses often operate on limited funds.

In the latter case, they don't look at security impact and the dollars to get there... and being practical gets thrown out the window.

Impractical or too expensive security generally gets thrown out so rather than increasing the security of small businesses, more and more small businesses are just being scared (financially) away from doing the right thing.

Thank you.
By processing fewer credit card transactions than a large business, a small business may not be a desirable target because it is very easy for credit card companies to correlate fraudulent use back to that business and cancel the cards that were used at that business. Regarding information assets, I think that most small business owners are much more aware of what must be protected - and will take steps to protect it - than executives at large businesses. Whether those steps are sufficient will vary.
For medium-sized businesses, a consulting organization can fill a need that the internal IT can't usually manage on their own. Small business are trickier. I'm also a QSA, and my first advice is to eliminate all scope if possible; let the pros handle the data, and keep it out of your environment entirely. That doesn't address all security needs of course, but takes care of the initial pain point, and gives them some breathing room to take a step back and look at what else may be important.
Oddly enough my job was outsourced awhile back and still in the hunt. In the 6 years I was there, solely kept >100 users and connections, 7 servers in two States up with 5 9's. What I found out, was not the person running the IT, (Predecessor) had the same issue, it was the management & users that refused to listen because it was an inconvenience to the owners daughter shopping for clothes, or someone needs the latest joke passed on, youboob I think you get my drift. Amazing, even though she and others were hit with scareware 4X, it continued, thus turning the IT department into Romper room. . They also loved to use free wireless, fortunately 50% did use the VPN client, but mostly not, so the company CC and other data would be jacked at least 2X a year. So a majority of the time, intrusion protection was overridden by kids wanting to play. Fact is, a lot of SMB's do not get it. Now I wonder if my SSN will be hijacked when the person that does ADP payroll falls for the phish. Fortunately after I left, I froze all of my credit reporting agencies. Good article, but it has to come from both sides and as long as their PC turns on, they do not get it.
In a good economy, even small businesses will go the extra mile to secure their networks at least to a minimal level.

With things so slow in the United States and the world for that matter, network security appears to many as a cost, not a value. It is difficult to offer services to those who do not want them now. In other words it is not happening.

As the economy improves (we hope it improves anyway) the small business will once again be a focus of Value Added Resellers who can pick up business of most any size. The problem is not then, but now..
In 2009 I tried to get into the business of offering InfoSec support to the small end of medium size business without much success. The biggest challenge was getting in the door. Once inside, if the presentation was to the IT team it was difficult to not be viewed as a work generating outsider. Presenting higher up the chain it came down to cost vs a benefit that could not be quantified in the middle of a recession. I ended up doing third party assessment for a large company. I would be interested in hearing about those that succeed in selling InfoSec services to these companies.
In my experience, the companies in the SMB size suffer from a variety of issues:
1. Understanding - They often lack the understanding of how critical IT security is to their organization. In most cases, IT is viewed as a sore point with no return of value instead of a business enabler.
2. Obscurity - They always assume that because they're small no one is going to bother them. What they fail to understand is that they are a far more attractive target than a larger organization with security policies and technology in place.
3. Cost - There is rarely a true cost / benefit in their eyes. Security services are another expenditure for organizations that are already on a tight budget.

I'm curious to hear about other challenges that security professionals in this market face.
I look after small businesses. I have a range of customer profiles:
The best : ones that understand the importance of infrastructure and security - we have a budget, an interested employee who I train to look at logs, check backups, patch systems and I check regularly to see all is well. Systems are patched, and upgrades are done.

Others wait until catastrophe strikes, then they come running for help, and we either apply some duct tape, or we do a major round of upgrades and documentation, only to have it all run gradually downhill until the next crisis.
Note that the latter category will spend more on keeping their Mercedes running smoothly than on their IT & security.
One other domain that was missed here is Disaster Recovery. In my experience, very few small businesses have any backups, let alone a recovery plan. Again, costs vs. "it won't happen to me" are a battle. Getting the owner or anyone in upper management to really care about these concerns (even when presented with hard numbers) is a difficult challenge.
I want to completely disagree with your comment "I think that most small business owners are much more aware of what must be protected - and will take steps to protect it - than executives at large businesses."
That is complete buffoonery. Yes, I said buffoonery. The issue is not that small and medium business don't understand what's important to protect, the issue is they don't possess the skills necessary to secure those assets. Understanding the keys to your kingdom and what makes an attractive target is important, but anyone can do that. The gap is what's in our wheelhouse: security best practices, logging, auditing, alerting, encrypting, multi-factor auth, layered defenses, on and on... It does no good for a small business owner to know what's a target but then not have any expertise to address it. Without question, every single small business I've been in has inadequate security. Leave security to the experts. InfoSec guys know that even a very talented IT pro will fail when attempting to implement effective security on their own....let alone a small business owner.

Diary Archives