New series: The plight of small business defenders
Trustifier is about to release a new security innovation called TUX, designed to deliver to SMBs a comprehensive and automated bundle of protections against all major cyber threats. TUX is an AI engine with a natural language processor interface. It’s designed for people who aren’t ITsec gurus and don’t want to be, and can’t afford enterprise offerings. Since many SMBs probably fit this description, this series will discuss SMB cyber security issues to coincide with the release of TUX. As you will see, TUX introduces a very positive, new solution option for them.
Time to help SMBs
In an ever increasing inter-connected world, the rising cyber security tide should also raise the smallest boats which make up the majority. Is this happening, or are many of those at risk of sinking? We all shop at local business establishment and many of them are small businesses. Many SMBs make up the supply chain or may be services partners to large enterprises, government and the public. Over 90% of western economies are driven by small and medium business, covering all sectors and verticals. SMBs provide most jobs as well, so are people’s livelihoods threatened by the escalating cyber threat environment?
Start with these three great posts
The following three posts outline the problem SMB cyber security better than I ever could. Each of them is recommended reading.
The IT Security Poverty Line
Wendy Nather may have been the first to really bring needed attention to the plight of small business “living below the IT security poverty line” in her must-read post, “The Security Poverty Line, and junk food“. In 2011 Wendy wrote,
” I coined the term “security poverty line” to describe those organizations that, for one reason or another (usually a lack of IT funds), can’t afford to reach an effective level of security, much less compliance with security regulations.”
“So although some people see the failure to achieve compliance or effective security as simply a matter of attitude (“if you really cared about auto safety, you’d buy a Mercedes!”), it’s not that simple.”
Wendy describes some of the things you might find going on in such environments and why solutions may be more easily prescribed than acted on, and afforded, and points out a few common infosec platitudes. For example, it’s not free to use open source if you have to pay someone to set it up and maintain it.
Has anything changed since she first wrote this post? A couple of things. One is the nature of the threat environment; attacks are more insidious and malicious. SMBs are targeted more than ever. It’s a matter of when, not if now. Investing in cyber security protection has become a requirement to be in business. There are more compliance requirements than ever. Obviously, SMBs need to find the best defensive capability possible to face today’s threat environment while maximizing bang-for-the-buck.
The smallest of the small
The next post is by Bob Rudis who was heavily influenced by Wendy’s post. His post “Security Hobos“ is also a must-read if one wants to understand what a small business is dealing with. He extends the discussion to the smallest or the small, which he calls truly small businesses (TSB). This could apply to micro-businesses and start-ups as well. He describes Mom & Pop retailers struggling just to make a living running their business while living under threat of POS malware. He tells us,
“These truly small business (TSB) owners aren’t living below the security poverty line, they are security hobos. They kinda know they need to care about the safety of their data, but their focus is on their business or creative processes. When they do have time to care about security, that part of their world is so complex that it’s far too easy to make the choice to ignore it than to do something about it.”
“Those tasks may be as autonomous as breathing for security folk and technically-savvy users, but they are extraneous tasks that are confusing for most TSBs and may often cause instability issues with the wretched POS software options out in the marketplace. These folks also cannot afford to hire security consultants to do this work for them.”
He ends trying to make some sensible recommendations for the TSB made as painless as possible and calling on infosec professionals to help out.
Who IS helping the little guy?
My final selection in the trio is the post “Who is Helping the Little Guy?“ by Michael Tanji. He says,
“Small businesses do not have time for security; they’re too busying trying to stay in the black.”
“Large companies spend a lot of money on security; consequently security product vendors build tools and devices aimed at the large “enterprise” market.”
“Do you see the disconnect? You can’t berate small businesses for not doing enough or their part or whatever you want to call it when the market is not providing them with the means to defend themselves.”
He then asks this question of infosec that might lead to a little soul-searching.
“So are you a security company or are you a company that sells security products? A security company would be finding ways to make everyone more secure; we already know what security product companies are doing.”
Don’t send an enterprise vendor for a small business job
Now that RSAC, the biggest security show of the year is wrapping up, I wonder how much at that show was directed for the biggest segment of the market, SMBs. I didn’t see much in the tweet stream or in the media in this regard.I was unable to spot any indication that the SMB market isn’t going to remain greatly underserved by the infosec industry. I’ve seen a few people suggest there’s a trickle down cyber security that works the same way that trickle down economics does? Right…. By the way, it’s been shown that it doesn’t work for economics either. Even though a few companies who did attend do target medium size companies, most of the talks and most of the vendors are geared to the large enterprise. <See bullet #1> Needless to say, if your game plan has primarily been to sell to the enterprise, you probably just can’t just turn around and sell enterprise kit to SMBs. It likely just won’t scale down well.
As Bob Rudis writes in his post, helping to secure SMBs is not only the right thing to do, ultimately we are helping ourselves. Although cyber security investment is becoming a required cost of doing and staying in business, smaller customers are underserved by the industry. Securing SMBs sounds like a very tough challenge, but that’s why TUX is needed. Not only does TUX bring a higher level of security, it is itself the delivery vehicle for that security. This is advanced cyber protection, comprehensive yet affordable to resource strapped entities, so TUX AI will be something to watch out for. If you haven’t checked out the TUX Quick Tour yet, it can be found on our start page here.
Next post: Myth-informed about cyber attacks? ——- >
Original, custom artwork by Scott Lewis