SMEs have the same security concerns and requirements as their much larger partners, but, how can they afford security that can adequately protect them?
Large organisations, their partners and online resources are the most frequent victims of cyber-attack. Verizon’s DBIR 2014 showed that web applications remain the proverbial punching bag of the Internet. Just take a look at pwnedwebsites.com, which shows recently compromised websites based to illustrate this point. Meanwhile, research shows that investors might refuse to buy stock in companies that have suffered a data breach. Given these factors, security for SMEs is a huge issue if they are to grow safely.
Security is a vast subject that can drown an SME, but there are three main points to highlight:
1. 100 percent security does not exist.
2. Security is not a technical solution.
3. Security is everyone's responsibility.
It is no longer a question of if you will get attacked, or even when, but how often. Based on Bruce Schneier's article: The future of Incident Response, "What we need is technology that aids people, not technology that supplants them." At the moment, there are Open Source alternatives to proprietary enterprise software that are available, but ultimately SME’s need to look within as well to remain on cost.
For SMEs to truly afford security, they need to invest in security awareness campaigns for their employees at all levels of the company. It seems it was the attack on Target in last year's holiday season made complacent boardrooms aware of the threat of malicious hackers and highlighted the need for education across the board.
Security is everyone's responsibility, but ultimately it should start from the top to the bottom in the SMEs which are unlikely to be able to afford fully fledged security solutions.
Emilio Casbas, threat management analyst and (ISC)2 member at a US-based telco