Brian Granier with the Internet Storm Center[sans.org] compiled some interesting security findings[sans.org] from feedback sent by people working for and with Small to Medium Businesses. I have combined his analysis with some of my own in the pro’s and con’s to each finding.

1. All-in-one security products increasingly available at SMB prices
Pro’s: security needs being addressed
Con’s: over-emphasis on perimeter security, false sense of security provided by a device that is turned on and “left to do its job”

2. Commonly no full-time IT staff
Pro’s: IT and security needs can be outsourced to specialized companies (this can also be a ‘con’, if not managed well)
Con’s: IT and security needs addressed in a reactionary manner

3. Some cases of successful security integration, mostly motivated by external business pressures (i.e., regulations, customer demands)
Pro’s: security needs are being addressed, increasing understanding and support from management for security
Con’s: implementing security strictly to meet regulatory demands can often lead to tunnel-vision – addressing only what is regulated while potentially ignoring higher security risks

4. SMBs often ignore the insider threat
Pro’s: employee privacy, sense of trust
Con’s: insiders are more likely to cause security incidents and outsiders are often just one step away[truedigitalsecurity.com] from being an insider

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.