Brian Granier with the Internet Storm Center[sans.org] compiled some interesting security findings[sans.org] from feedback sent by people working for and with Small to Medium Businesses. I have combined his analysis with some of my own in the pro’s and con’s to each finding.
1. All-in-one security products increasingly available at SMB prices
Pro’s: security needs being addressed
Con’s: over-emphasis on perimeter security, false sense of security provided by a device that is turned on and “left to do its job”
2. Commonly no full-time IT staff
Pro’s: IT and security needs can be outsourced to specialized companies (this can also be a ‘con’, if not managed well)
Con’s: IT and security needs addressed in a reactionary manner
3. Some cases of successful security integration, mostly motivated by external business pressures (i.e., regulations, customer demands)
Pro’s: security needs are being addressed, increasing understanding and support from management for security
Con’s: implementing security strictly to meet regulatory demands can often lead to tunnel-vision – addressing only what is regulated while potentially ignoring higher security risks
4. SMBs often ignore the insider threat
Pro’s: employee privacy, sense of trust
Con’s: insiders are more likely to cause security incidents and outsiders are often just one step away[truedigitalsecurity.com] from being an insider