Last month, we hosted our Twitter #SecChat on How To Keep Security a Priority, particularly for SMBs with limited IT resources. When it comes to security, attacks can happen regardless of your business size or type (as the recent and numerous security breaches at Sony can attest). How are SMBs supposed to prioritize security when they have a limited IT staff and resources that have already been stretched thin? This is exactly what we hoped to discover during our Security Chat.
To kick off the conversation, we asked participants what they considered to be the three most important things to focus on when you have limited security resources. @jsokoly pointed out that in most SMBs he’s seen, keeping security a priority isn’t the problem, but rather making it a priority in the first place is the problem—a sentiment echoed by many participants. @451wendy and @hal_pomeranz also chimed in, “One problem is that many of these SMBs fall below the ‘security poverty line’—can’t afford good IT, much less security.”
Matt Sarrel, @msarrel, put forth the suggestion that creating security awareness comes first—administrators need to know what’s going on in the security world and see how others defend their resources. @labnuke and @Wh1t3Rabbit further elaborated on the idea that knowledge comes first, pointing out that defining the problem is a crucial first step – SMBs need to know what data they need to protect and where this data is located. However, I pointed out during our chat, many SMBs put too much of their focus on web, email and malware, and many forget about protecting the data itself. @msarrel agreed that a lot of businesses don’t know where their data even lives or the financial value of that data.
Eventually the conversation shifted as @labnuke noted that many business leaders are too busy dealing with the actual business to take the time to define the value of their data, a task that he suggests seems to belong to IT. But, as @averagesecguy and @joshcorman both agreed, “As long as we are relying on overworked IT staff to implement security, we will never be doing enough.” @Wh1t3Rabbit added that most companies don’t spend on security because it’s not seen as a necessity, and @dewer agreed that many companies are reactive to the problem – they only spend when the problem occurs, and this usually results in spending more money than they would have if they invested in proactive security measures.
The conversation winded down with @451wendy asserting, “We have created a whole industry out of keeping security separate from IT, and now many people can’t afford to buy IT separately.” For SMBs to ‘get’ security, @andrewsmhay suggests that it needs to be presented to them as something that will help availability, or in other words, the complexity of security needs to be eliminated.
This message ties in strongly with the editorial brief McAfee recently published on managing security without having to live and breathe it. Our solutions reduce complexity, but are also designed for affordability and practical usability.
Stay tuned for our next #SecChat on June 23rd, 11am PT where we’ll discuss stealth crimeware. Feel free to tweet at @IntelSec_Biz with any questions/feedback in the meantime.