Just because you don’t have a person dedicated to information security doesn’t mean it can be ignored!  If your business works with critical infrastructure, credit card data, electronic personal health information or personally identifiable information, you are a target.

Small and midsize businesses are suffering substantial, sometimes devastating losses to cyberattacks that are becoming increasingly difficult to detect and prevent. While it isn’t yet likely that Advanced Persistent Threats (APTs) target SMBs, they are targets of automated botnets using polished, highly convincing phishing and social engineering techniques, and sophisticated malware that requires no special skills on the part of attackers, thanks to the proliferation of relatively inexpensive malware kits on the criminal market.  SMBs often succumb to the same attacks as individual consumers, but the repercussions are typically far worse: Business as well as personal accounts are compromised; corporate accounts, credit cards and sensitive data are exposed through employees as well as owners; and banks are under no obligation to make good on losses even if a business account is drained of tens of thousands of dollars. Midmarket companies should not feel safe because the big attacks on major companies—Lockhead Martin, Sony, Epsilon, EMC/RSA, Google, Adobe—make the headlines. You may assume your company’s size and obscurity puts it below the radar, but while you may not be singled out for targeting, you may well be a target of opportunity.  There are plenty of stories in the press these days about small businesses, local governments and small healthcare organizations losing money or sensitive customer data.
Many of the cascading technical and process deficiencies at SMBs stem from the fundamental belief that information security and data protection doesn’t matter because their firms are too small to worry about it.  For most small business owners, it is easier to ignore the risk until something happens, then it becomes real.  Breaches and data loss may be caused by external entities such as cybercriminals, competitors, and customers.  However, they can also be caused employees and users.

[Click picture above to open Breach Sources graphic full size]
What are the criminals going after?  For many small businesses, it is company bank-related information, customer credit cards, or personal information.  You know the saying about go where the money is…

[Click picture above to open Data Lost graphic full size]

What can you do about it?

Most information security and data protection efforts can be classified in three distinct techniques along the security lifecycle as prevention, detection, and response.  In terms of large enterprise security, these techniques make up a 3-legged stool.  Ignore one of the legs and that stool (a metaphor for your information security program) will not stand up very well.


Prevention is applying techniques in people, process, and technology to prepare the organization eliminate or reduce the risk of an attack occurring or being successful.  The goal of prevention is to minimize your target area.

  • Threat and Vulnerability Management (vulnerability scanning, penetration testing, patch management, minimum security baseline configuration)
  • Perimeter security tools (firewalls, email security, anti-virus, intrusion prevention)
  • User Awareness (education/training, policies, procedures)
  • Data Protection (identity and access management, encryption, data leak prevention)


Detection is being able to accurately and quickly identify that that an attack has occurred while verifying whether it was successful or not.

  • Audit Logging (enterprise log collection, analysis and archival)
  • Security Information Management (intrusion detection/prevention, event correlation, tuning and optimization)


Response is the capability to quickly and efficiently address attacks when they are detected.  For the detection process to have any value there must be a timely response.  The organizational response to different incident categories should be planned well in advance.

  • Incident Response (policy, procedure, arrangements with a 3rd party, training, CIRT team development)

Is It Time to Outsource?

A few years ago, many organizations viewed any type of outside security service as taboo. Security operations were considered too private and important to hand off to an outsider, so enterprises continued to hire security specialists and purchase point tools to handle security in-house. But these attitudes are changing—security skills are expensive and hard to find, malware threats are growing in numbers and complexity, and the cost of a data breach can add up to hundreds of millions of dollars. Enterprises are increasingly interested in outsourcing some portion of their security management.  Small businesses can outsource a majority of their security operations, but remember that outsourcing does not completely transfer risk and liability.
In general, security experts agree there are three primary reasons companies decide to outsource security technology to service providers:

  • Lack of internal staff and security expertise needed to set up and manage security devices and tools.
  • Financially speaking, it is more cost effective to partner with security service providers than investing in on-premise equipment, management, and maintenance fees.
  • New levels of sophistication from cybercriminals threaten traditional security methods, and IT managers can benefit from security intelligence services such as those delivered in realtime through SaaS platforms.

You might think your business doesn’t have anything worth stealing but cyber criminals don’t agree. They target small and medium businesses because typically they don’t pay much attention to security. Don’t be a victim, invest in good security now (prevention and detection), before you need it (response).  Pondurance can help develop or improve your information security management program to address all three legs of the stool.
Steve Lodin is a consultant with Pondurance and has been a CISSP since 1998.