Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Who protects small business? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Who protects small business?

It is interesting to note that in most economies a significant percentage of the national Gross Domestic Product (GDP) is actually generated by small and mid-sized businesses. Why is this relevant to information security you might ask? SANS was recently asked if there are existing providers of IT security services to this market? If not, what would be the prerequisites to starting and running one? My response follows:

"Yes, I am aware of some businesses that provide IT Security services to SOHO, small, and mid-sized organizations. They tend to be rather small themselves and servicing a local area. The skills and certifications they have varies widely from none to quite advanced. Some are extensions of an existing computer repair shop for example that is branching out. Others are
actual IT Security professionals that are attempting to tap into this market area.

I would expect that the skills required would tend to consist of Intrusion Detection, Incident Response, Firewalls,
Anti-Malware, as well as general network and systems security. Certifications might include GCIA, GCIH, GCFW, and other more generic or vendor specific ones.

In my experience most small businesses do not have competent or mature IT support, the probability of them having IT Security is slim to none. The businesses owners might not perceive the threats, or do not believe they can afford to do anything about it.

One of the bigger hurdles such a provider might face is scalability while remaining financially viable."

Which brings us to an important question. If these small businesses are critical to our national economies and ongoing growth, are they adequately protected against attack that may target them? What about collateral damage from bots and other malware? Do they have the people and technologies required to defend their computers, networks, and information assets?

A question to the SANS Internet Storm Center readers is, what can be done for small business?

Please let us know wht you think using the comments below, or the contact form

Adrien de Beaupré Inc.

I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December.


I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defence Australia 2022

Adrien de Beaupre

353 Posts
ISC Handler
Aug 7th 2012
Good questions, and we try to do our part with our customers, potential customers, and public at large by publishing security related articles at goes over a growing concern of ours as we see more and more authorized scanning vendors get stuck on issues with either have ZERO (0) real security impact; or, they forget small businesses often operate on limited funds.

In the latter case, they don't look at security impact and the dollars to get there... and being practical gets thrown out the window.

Impractical or too expensive security generally gets thrown out so rather than increasing the security of small businesses, more and more small businesses are just being scared (financially) away from doing the right thing.

Thank you.
By processing fewer credit card transactions than a large business, a small business may not be a desirable target because it is very easy for credit card companies to correlate fraudulent use back to that business and cancel the cards that were used at that business. Regarding information assets, I think that most small business owners are much more aware of what must be protected - and will take steps to protect it - than executives at large businesses. Whether those steps are sufficient will vary.
For medium-sized businesses, a consulting organization can fill a need that the internal IT can't usually manage on their own. Small business are trickier. I'm also a QSA, and my first advice is to eliminate all scope if possible; let the pros handle the data, and keep it out of your environment entirely. That doesn't address all security needs of course, but takes care of the initial pain point, and gives them some breathing room to take a step back and look at what else may be important.

5 Posts
Oddly enough my job was outsourced awhile back and still in the hunt. In the 6 years I was there, solely kept >100 users and connections, 7 servers in two States up with 5 9's. What I found out, was not the person running the IT, (Predecessor) had the same issue, it was the management & users that refused to listen because it was an inconvenience to the owners daughter shopping for clothes, or someone needs the latest joke passed on, youboob I think you get my drift. Amazing, even though she and others were hit with scareware 4X, it continued, thus turning the IT department into Romper room. . They also loved to use free wireless, fortunately 50% did use the VPN client, but mostly not, so the company CC and other data would be jacked at least 2X a year. So a majority of the time, intrusion protection was overridden by kids wanting to play. Fact is, a lot of SMB's do not get it. Now I wonder if my SSN will be hijacked when the person that does ADP payroll falls for the phish. Fortunately after I left, I froze all of my credit reporting agencies. Good article, but it has to come from both sides and as long as their PC turns on, they do not get it.

6 Posts
In a good economy, even small businesses will go the extra mile to secure their networks at least to a minimal level.

With things so slow in the United States and the world for that matter, network security appears to many as a cost, not a value. It is difficult to offer services to those who do not want them now. In other words it is not happening.

As the economy improves (we hope it improves anyway) the small business will once again be a focus of Value Added Resellers who can pick up business of most any size. The problem is not then, but now..
Al of Your Data Center

80 Posts
In 2009 I tried to get into the business of offering InfoSec support to the small end of medium size business without much success. The biggest challenge was getting in the door. Once inside, if the presentation was to the IT team it was difficult to not be viewed as a work generating outsider. Presenting higher up the chain it came down to cost vs a benefit that could not be quantified in the middle of a recession. I ended up doing third party assessment for a large company. I would be interested in hearing about those that succeed in selling InfoSec services to these companies.
Al of Your Data Center
3 Posts
In my experience, the companies in the SMB size suffer from a variety of issues:
1. Understanding - They often lack the understanding of how critical IT security is to their organization. In most cases, IT is viewed as a sore point with no return of value instead of a business enabler.
2. Obscurity - They always assume that because they're small no one is going to bother them. What they fail to understand is that they are a far more attractive target than a larger organization with security policies and technology in place.
3. Cost - There is rarely a true cost / benefit in their eyes. Security services are another expenditure for organizations that are already on a tight budget.

I'm curious to hear about other challenges that security professionals in this market face.
Al of Your Data Center
1 Posts
I look after small businesses. I have a range of customer profiles:
The best : ones that understand the importance of infrastructure and security - we have a budget, an interested employee who I train to look at logs, check backups, patch systems and I check regularly to see all is well. Systems are patched, and upgrades are done.

Others wait until catastrophe strikes, then they come running for help, and we either apply some duct tape, or we do a major round of upgrades and documentation, only to have it all run gradually downhill until the next crisis.
Note that the latter category will spend more on keeping their Mercedes running smoothly than on their IT & security.

10 Posts
One other domain that was missed here is Disaster Recovery. In my experience, very few small businesses have any backups, let alone a recovery plan. Again, costs vs. "it won't happen to me" are a battle. Getting the owner or anyone in upper management to really care about these concerns (even when presented with hard numbers) is a difficult challenge.

2 Posts
I want to completely disagree with your comment "I think that most small business owners are much more aware of what must be protected - and will take steps to protect it - than executives at large businesses."
That is complete buffoonery. Yes, I said buffoonery. The issue is not that small and medium business don't understand what's important to protect, the issue is they don't possess the skills necessary to secure those assets. Understanding the keys to your kingdom and what makes an attractive target is important, but anyone can do that. The gap is what's in our wheelhouse: security best practices, logging, auditing, alerting, encrypting, multi-factor auth, layered defenses, on and on... It does no good for a small business owner to know what's a target but then not have any expertise to address it. Without question, every single small business I've been in has inadequate security. Leave security to the experts. InfoSec guys know that even a very talented IT pro will fail when attempting to implement effective security on their own....let alone a small business owner.
9 Posts
I work for a small community bank. I do a presentation for our small to medium business customers several times a year on information security. We also do an outreach program through our local chamber of commerce on information security. It's been fairly successful so far. We've even started offering it to individual customers as an outreach program. I sold it to my superriors that the time spent builds goodwill with our community and reduces losses to our customers making them better customers. They were quick to authorize these programs and remain very supportive of them today.

2 Posts
I'm with powerman, actually - I did IT consulting for small businesses for many years. They don't have 'technology' or 'IT stuff' ... they have some computers. Fundamentally, a different thought process regarding their tech. More often than not, the 'server' is under the boss’s desk, the core switch is under a coffee table, and the wireless access point is sitting on top of a file cabinet. This is huge risk, since the machine doing most of the file serving is probably also used to check the bosses email. It's not that they're ignorant of the risks; it's just not what they think about every day like we do.

What small business don't have is budget for security tools. Most small biz can't afford Cisco...they can barely afford Sonicwall. Likely, they're buying Linksys. They certainly don't have the budget for big AV, like Mcafee or Symantec - unless they're running the 'home' version of those tools. With no central reporting and management, there's no way to see that all the machines are staying current, or if one gets infected. Since small business owners don't want to spend what little money they have on fixing computer problems, I can imagine that many of them will just work around an infected computer, so long as it still allows them to do their work.

The sad thing is when a small business runs afoul of their bank in terms of PCI. If all of a sudden, a mom & pop shop has to come to grips with the fact that they're a Level 1 merchant, they may as well shutter the doors.

9 Posts
I agree with your comments, so much so that my graduating project for my Masters in Information Security and Assurance was a guide for shareholders of small businesses. It is not expensive to apply some basic security measures. The single most important part is beginning with a solid usage policy and following up with training. When trying to promote this to shareholders translate it into $$$$ and you will catch their attention.
3 Posts

Most small businesses are wary of anyone coming in the front door with a hardware or software solution to sell (to mitigate a risk they can't "see"). Eli's right, they have computers and the diligent ones have taken the extra step to take backups. Owners will ask, "Why isn't that enough?" My own consulting work revolves around helping small businesses identify and close these gaps, but usually after they've experienced an incident. It's easy when something is [figuratively] on fire. It's when an ember is smoldering under the surface that you have to work at it bridging the risk awareness gap. Talking about 0-day's, obscure router vulnerabilities, and cross site scripting will get blank stares and a polite trip to the door if you're pitching the CEO of a small firm, but security consultants that connect the dots between that employee you just fired and your customers getting calls from a competitor can get through to any small business owner. There are a several three-letter government organizations that provide pretty good data on small business security breaches these days and coupled with the threat of fines, mandated audit fees, and the occasional inflammatory headline can get attention. I think Adrien hits the nail on the head by by identifying the policy side of things. Not expensive and a great place to start.
1 Posts
I couldn't say it better myself... So much this:
"because it was an inconvenience to the owners daughter shopping for clothes, or someone needs the latest joke passed on, youboob I think you get my drift. Amazing, even though she and others were hit with scareware 4X, it continued, thus turning the IT department into Romper room"

The perception is they're too small to be a target for anything serious. The methods of exploitation are too complex for them to understand so its not considered a realistic scenario to them. Them being the owners of most small businesses. I work this world every day unfortunately.
1 Posts
While I agree that budget plays a big role in small companies not doing security I feel that something is better nothing. You don’t have to spend big bucks to get basic security and basic security is better than no security.
Most SOHO shops probably run Windows and there is free anti-virus software from MS (no it does not do reporting but something is better than nothing). Automatic updates is free to run (again no it does not do reporting but something is better than nothing). You can review the event logs on the computers for free (I know this takes time but if you don’t want to spend the bucks than some elbow grease is needed).
I think the real problem is a lack of understanding about the tools that are available and a lack of understanding about how to use them. I have found that education is the key to success in the SOHO security environment.

69 Posts
It also runs into higher levels of enterprise level businesses as well. "important person/department wants company to be visible on facebook, open access to it for all staff", "we need access to yousendit or dropbox with no filtering" etc.

23 Posts
During these presentations to the potential customer, have any of you obtained localized threat reports from major cyber security firms and/or gov't organizations to illustrate how real the invisible actors? All of your comments have been a great help and have revealed numerous considerations to assist in formulating my securities business idea within the INFOSEC/PERSEC/PHYSEC arenas. I think two of the biggest problems that we face in our society is that most citizens do not want to know the truth of how dangerous our tech really is since we utilize it on a daily basis. The second, being that the information is not publicized as it is within the US Military.
1 Posts
The mental state of most Entrepreneurs is that despite being naked they can run fast enough that no one can catch them. Common folks have computer problems, not these guys.

The classic case that we see is the small medical office where partners are carrying $400K/year home but don't want to upgrade office PCs because it costs too much. These are the same folks that have an insider embezzling -- in an alarming number of cases.

Aside from a brain transplant is to talk these folks into going to the cloud where at least OS upgrades happen automatically.

17 Posts
If it ain't broke, don't fix it, don't assess, secure, patch, monitor or prepare for it.

I agree that small businesses seem to go to a small local IT businesses or a single knowledgeable person for their needs, but whoever does this quickest and cheapest is probably doing them the greatest disservice in regard to security, whilst securing future business for themselves responding to repeated incidents.
Steven C.

171 Posts

Sign Up for Free or Log In to start participating in the conversation!