In the recent Verizon Data Breach Report it states that an estimated 85% of all breaches happen at companies with employee sizes from 1-100. That’s a significant percentage; one that can hardly be ignored.
I have a theory as to why this continues to be an issue and I’m hoping people will chime in and agree, disagree, add more to it, etc. As security practitioners we focus on the enterprise clients, it tends to be more interesting work, steadier business and budgets are better. Additionally, enterprise companies get security, at least conceptually, even if they don’t put it into regular practice. We tend to use terms like pen testing, pen test, vuln assessment, etc. that may not resonate with the smaller businesses. So I like the term Ethical Hacking Services. People get hacking, even if the view might be negative, so throwing ethical into the term makes it a positive statement they can understand.
But to me, the real issue is providing solutions that meet a budget or in some cases carve out a little from the IT budget. I’ve actually been talking to small businesses about this for some time, I won’t go into a lot of the discussions on budgets but suffice it to say what they can stomach is pretty low. We’re talking $300-$400 a month on average. Not too much you can do with that.
So here are a few points to consider. What could we do for these companies? What type of ethical hacking services would help? Do we have a responsibility to help these companies or is it up to them to catch up?
I find small business security very interesting, as a security consulting company I’m not convinced it’s lucrative and I don’t believe I’m alone. So again, we have a disconnect.