SMBs: Security is Important, Threats Aren't Concerning?

An article popped-up on HelpNetSecurity earlier today highlighting an interesting, if not contradictory, survey report released by NCSA and Symantec. In the SMB-oriented survey, about 3/4ths of respondents indicated that they felt cybersecurity is "critical to their success," but at the same time about 2/3rds indicated that they "aren't concerned about cyber threats" (either internal or external). Even more perplexing, the vast majority indicated not having formal written policies, yet at the same time the vast majority were satisfied with their cybersecurity posture.

This, my friends, is an interesting paradox. How is it that businesses can, on the one hand, claim to be aware of the importance of cybersecurity practices, and yet, on the other hand, so completely fail to comprehend what practices are necessary and important? To me, there are three likely components to the answer.

1. Ignorance

First and foremost, I have to attribute these contradictory responses to ignorance. As I've mentioned in the past, many practices within GRC and cybersecurity simply aren't scalable. The average SMB is unlikely to have budget to hire a team of experts, and thus will rely on the less-developed expertise of cross-domain professionals. At worse, smaller orgs may not even be able to afford anybody with a cybersecurity background, or they may rely exclusively on what they're told by service providers, vendors, and the media.

While I do not think it is reasonable to expect SMBs to be universally "expert" in cybersecurity or GRC (as noted in this post with Branden Williams last January), I do believe that businesses must at least achieve a nominal understanding of due diligence and what their responsibilities are from a business and compliance perspective.

2. Naiveté

Secondly, I think these responses reflect a degree of naiveté that are dangerous. Again, coming back to the end of the previous point, businesses must conduct a reasonable degree of due diligence in ensuring that their resources are adequately secured and risk adequately managed. Perhaps many of the respondents believe that because they aren't aware of a compromise that they will not be, or have not been, a target. However, we have ample evidence that this is not a sound assumption to make. One need only look at the various examples of wire fraud cases of late where SMB accounts were compromised to see the potential for compromise. Or, perhaps they believe that their outsourcers and vendors have already taken care of these concerns for them, though without explicitly confirming this to be true. In either case, it's a bit concerning.

More importantly, such a naive mindset does not reflect a reasonable perspective on business survivability. SMBs are particularly susceptible to going out of business due to disastrous expenses or emergencies. It's the very nature of SMBs to have less reserves and capabilities as larger orgs. Yet, at the same time, failing to plan for certain eventualities like compromised systems, loss of key personnel, or data exfiltration is at the very least irresponsible, and may in fact rise to the level of a far more serious charge...

3. Negligence

In the legal sense of things, negligence is a failure to exercise an ordinary amount of care, as measured by the "reasonable man" (see definitions here, here, and here). On the one hand, SMBs could potentially make the argument that the "reasonable man" would not expect a higher level of care today than they are following. However, I think this argument fails as there are now myriad sources of information available to businesses of all size that would apprise them of their responsibilities.

However, I think the main limitation here is that negligence (whether tortious or criminal) seems to generally apply to individuals and not as much to businesses. Moreover, there does not appear to be much, if any, case law that would support successfully pursuing a negligence case. That said, with SCOTUS ruling that "corporations are people" (a rough paraphrasing;) in Citizens United, it seems a small step to then find businesses of all sizes negligible when failing to meet even the most basic of security practices.

At the end of the day, that may be a stretch (for now)... however, suffice to say, the first two points certainly apply... it's no wonder Congress and the President are so interested in passing cybersecurity regulations today... let's just hope that any such regulations follow my suggested format instead of trying to be prescriptive (and, thus, inadequate)...

In the meantime, if you know anybody in the SMB space, now would be a good time to start speaking with them about what actually amounts to the level of commercially reasonable practices, because sooner than later they may be held to account, both publicly and legally.

About this Entry

This page contains a single entry by Ben Tomhave published on October 15, 2012 3:36 PM.

The Absurdity That is EGRC was the previous entry in this blog.

A Little Historical Perspective is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7