Small and medium-sized businesses (SMBs) have it made in terms of security. No, I'm not referring to the threats, vulnerabilities, and business risks. Those are the same regardless of the size of the organization. Instead, I'm talking about how relatively easy it is to establish and build out core information security functions and operations when the business is small. Doing this in an organization with a handful of employees – maybe a dozen or two – that has a simple network and application environment (in-house and in the cloud) is unbelievably simple compared to doing it in larger organizations.
I've helped several small businesses build out their policies, security testing/assessment processes, and technologies over the years and it's so neat to see how they've been able to progress from essentially firewalls and anti-virus to a full-blown IT/security governance program that rivals that of any large enterprise – all with minimal effort over time, relatively speaking. It's the equivalent of parents establishing good habits around eating and exercising in young children that they learn from and build upon for the rest of their lives instead of doctors and dieticians having to convince a 45-year old type 2 diabetic that he has to change his entire lifestyle if he's going to fix his heart problems and live past 50. The former is much easier (and less costly) than the latter.
One of the biggest challenges with SMBs is that they may not think they're a target, that they don't have to comply with the various security and privacy regulations, or that they even know about information security practices at all. The former two resolve themselves pretty quickly through breaches and pressures from business partners and customers who are often large businesses that have stringent security requirements. The latter is the biggest concern in large part due to these business's third-party IT consultants/service providers not fully understanding security. Many, perhaps most, small businesses start out using an outside IT services provider and I've witnessed a fox guarding the henhouse situation numerous times over the years whereby these outside providers implement firewalls, anti-virus software, and data backup solutions and that's where security begins and, unfortunately, ends.
Another situation that builds on this is something I see with many smaller businesses: technologies and policies are put in place but a security assessment is never performed to determine where things truly stand. It's the cart before the horse. The builder remediation before the home inspection. The chemotherapy before the CT scan. You can't force people to look past their false sense of security but it sure is a big oversight in the SMB space that needs some quick attention.
So, SMB security is simple but it can be kind of complicated if it's made out to be. The choice is yours – focus on security now while you're young and reap the rewards of simplicity or put it off so it's more expensive and exponentially more complicated when you're forced to address it down the road. If you own, work for, or serve as a consultant to a small or medium-sized business, make the decision to start and build out a basic information security program. Don't wait, get started on it now and grow into it over time. It'll look after itself as complexity grows with the business and will be so much easier to tweak that having to start from scratch. Something that I can say with conviction because I've been a part of it: you will not regret it.