Why am I writing this post? Because I have worked in SMEs for a while and the smaller and younger they are the more I worry about their attitude and ability to respond to security events. In fact to event identify that they have had a security based event.
This is been made worse in the last twelve months with the additional responsibilities of GDPR. Now there is a potential massive financial implication of a data breach, not just from the cost of remediation but also from the DCO.
Sure enough there are a lot of vendors offering people silver bullets to protect them from the evil hackers sitting out there with their hoodies covering them up in their dark rooms. But there are two major problems with that, one is that there is no silver bullet and relying on one is a big mistake. The second problem is that without security knowledge in the business they are never going to mature and be able to deal with the emerging threats that come from cyber security. The other problem with the peddlers of silver bullets is the fact that what they sell is not cheap. These small companies are concerned (generally) with building up their revenues to turn a profit. These extra security costs are a luxury. So I suppose they could use open source tools, of which there are plenty. But then we go back to knowledge and skills. Open Source tools are by their very nature more difficult to setup, let alone correctly.
Another concern is the patching and updates of equipment. In a small company is that really going to be a priority?
Even those companies that promote defence in depth and tell you that their tools should be used in conjunction with others they are just too expensive. I fully appreciate the need for the expense, building some of these tools is a long and prolonged process which costs money.
If you look at this from the hackers point of view these companies provide an ideal learning ground for future breaches. Not only that but they also provide possible jumping off points for bigger fish. Why would you attempt a breach against a massive organisation with sophisticated security prevention measure and a security team when you can go for one of their suppliers who have no security knowledge at all.
So why am I writing this post? Well because there seems to be a massive gap in the market to help these companies meet their GDPR requirements but also to protect them from hackers. I am not sure what form a solution to the problem might take but there is surely a possibility of somebody filling that gap.