Originally Posted by Rob Williams
This has proven to be our most popular article in a good while, and there's just ONE comment? Sheesh!
The problem it's so well written and so final in the way it covers the topic (that is, considering is describes 7 common mistakes) that there is little else that can be said
The biggest problem with small businesses approach to security is the lack of technical know-how. Big corporations tend to hire the best professionals on the field. And tend to hire them in good enough numbers so that all collaborate towards the same goal. Small businesses however can usually only afford to hire professionals with limited resumes. This when they actually hire anyone with the IT acronym somewhere in their resume. Often it ends up being instead the tech savy guy in the office that does it. Other times, they simply go for small companies providing some manner of IT services, with questionable maintenance contracts and even more questionable quality of service.
Seems contradictory that the smaller you are, in terms of computer infrastructure, the more likely you are to be less secure. And it is contradictory, in fact. In a technical perspective this doesn't make sense. After all, it's exactly the complexity of your networking services that increase the complexity of the security requirements.
What this goes to show is that we are in desperate need of some sort of technological jump. The things that can be done today with a computer and a cable are simply awesome. We can sell stuff to people on the other side of the planet, we can communicate over text, voice and video. We can track information in real time. We can remotely store information at a fraction of the cost it would take to store it locally. We can guarantee data isn't going to ever be lost (short of a global society breakdown event). However we are doing it still on top of very old communication protocols which offer little to no defense against intrusion, theft, or corruption. As we keep adding layers over layers of innovation to how we use these communication protocols, we will in fact increase the paradox described in this article for the simple reason that the defensive mechanisms become increasingly more complex and, above all, more expensive.
What has actually evolved over the years is how we use old communication protocols. The protocols themselves have evolved little. Like with cars, we have been building better, faster and feature richer cars, but they all still run on the same highly inefficient combustion engines of over a century ago. Granted some sort of positive changes have been happening to TCP/IP for instance (engines are better today too than they were 30 years ago). But in no way this progress constitute a technological advancement the likes of which could change the current IT security landscape.
We need new technology, not stretching old technology until one day it finally breaks.
Of course, easier said than done. The problem is not coming up with higher security protocols nearly impossible to fool with. They exist. The problem is shifting an entire global infrastructure to these new protocols. We moved to fast and before we noticed we had an entire world built of straw houses. People are living in them and it's very complicated now to just build brick houses for everyone.
It's a sad state of affairs. But one that no one can really be blamed. It's just how it happened and it was inevitable. The 8th security F-Up small offices make is trying to use the internet to provide or access services they don't have the ability to secure.