Tight budgets no excuse for SMBs’ poor security readiness


From the left hand doesn’t know what the right hands is doing department:

Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be “hard-pressed” to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.

Well, lets leave the vested interests of security sales aside for a moment.

Security Operations Center

I read recently an article about the “IT Doesn’t matter” thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don’t fully utilise their resources, don’t fully understand the capabilities of the technology they have, don’t follow good practices (never mind good security), this is all a moot point.

A lot of good SMB IT practices that have nothing to do with the “keep the hackers out” side of security but do come under the sort of thing that certainly I, like many IT professionals view as aspects of  “InfoSec” that are really just basic “Good IT and Information Resource Practices”. We can see many of them demanded by SOX/Bill-198 and the like: backups, access controls, integrity checks on databases, de-duplication/version control (like how many revisions of that letter in MS-Word are there not you’ve sent it out as a email attachment and everyone has read and altered it?), change management (not just applying patches and updates but resource management – adding disks and servers and printers).

Are these really expenses? I don’t think so. There’s a lot of the fruit of research where the research – even as trial and error – was expensive, but once it has been learnt the cost for others to do it is no different from the cost of doing it other ways.

IT has plenty of examples of that. The DoD and IBM spent a fortune and years experimenting with different approaches to development and IT management to establish trade-offs and what was and what wasn’t effective. There’s no shortage of textbooks based on those principles.  In my time I read those, mostly the Yourdon ones, and put them into practice, and LO! – It Works! I found I was good at estimating and getting stuff done on time, on budget, documented … yamma yamma.  But along the way I encountered resistance from managers who often argued that this approach was too expensive. How so? Delivering late, buggy code, lack of documentation, improper testing, over-runs: Those are expensive! I saw it again when SQL Databases were introduced, and I’ve been told by my elders that this happened when HLLs replaced assembler.

No doubt this happens with each iteration of technological advancement, be that technology hardware, software or practices.

So my case is that the issue isn’t SMBs have poor security readiness, but that many businesses have poor operational security because they have poor operational practices. And that includes staffing, training and awareness.

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply