PremiseEver since entering the cyber security industry in 2000, I have often wondered about the small to medium business market. Essentially individuals handling sensitive data at extremely small scale who are concerned only with business sustainability at a per-transaction level. What makes them tick? What do they have to lose? What are they worried about? Are they a market worth pursuing?
I have some thoughts.
Someone close to me has ventured into the small business world, specifically providing a service oriented business on a very small scale and for local clients only. Her business is seasonal, but she handles financial data from her customers and her employees, and conducts financial transactions. Her service is swim instruction. We are literally talking life skills. She has 1 computer. She plans to build from small to medium and is hoping for a business that is self sustaining and ever growing. So in observing this small business, the risks to the actual sustainability include:
1. Poor reputation. The business is largely dependent upon peer relationships and organic growth. If the reputation of the business goes south, then so does the business. Key contributors to a poor reputation include: perception of the value of the service (kids don't demonstrate the expected growth), injury or death of a student, failure to deliver promised services.
2. Failure to deliver services. If for some reason the teachers were unable to attend sessions, or the facilities were rendered inaccessible, the business could not deliver services and would have to refund payments. In a business this small, there is no margin for that beyond the incidental, once a year occurrence.
3. Competitive prices. If a competitor (private or public) were to price their services at a significantly lower rate, the business could not attract customers. There is already a balance between quality and price. Comparatively, the low price competition does not actually stack up to my friend's business, but when a family is looking at "swim instruction" for $50 a session vs. $30 a session, that makes a real difference in affordability over time.
4. Loss of finances. The business is currently so small, literally every student counts, and every penny is accounted for and relied upon. A $10 monthly service processing fee for payroll is scrutinized.
I have a relationship with another small business owner in the optometry industry. When talking to them, their main concern is the availability of patient records, and status of their equipment. None of their services are provided online and are exclusive to in-person evaluations and consultation. Much of the evaluation is based on trends over time, thus elevating the availability of the records. With a two geographically disperse practices, there is no need for data synchronization across locations and thus an on-premise paper system works great for the needs of the business. Billing is another story.
In this example, the risks are the same as the Swim School so I won't repeat them. The thresholds are different, but core issues are the same.
Cyber Industry & Threats
Now, compare the issues the cyber industry is concerned about.
3. Service disruption
4. Data theft (customer and proprietary)
Does a small business care about any of these? Let's take them one at a time.
Malware. Small business has a malware infection on a local system. What's the worst possible impact? Probably financial malware that steals banking info - let's say Zeus. Banks offer most of these business customers mitigation tactics like multi-factor authentication, and the business is so small, they would notice unusual movement of money should it occur. Is rapid detection and an anti-malware service really helping them in any tangible way?
Fraud. Same argument as above. What's the worst that could happen? Probably that their financial information is stolen, accounts accessed, and money moved. However, are they really being exposed to fraudsters? Are they being phished? Are they selling enough product or services that a fraudster would try to generate fraudulent purchases? Probably none of the above apply.
Service disruption. Most of these small business have a web presence, but are not necessarily dependent upon them to conduct their business. Some are, but especially in the services industry, the online presence is informational or used for customer loyalty and ease of scheduling etc.
Data theft. Some of these small business do have sensitive data, however extending that data into Internet resources (going paperless) actually increases their risk. The worst that could happen is for their customer data to be exposed or stolen somehow either through a server breach or persistent malware. Again, I'd question the likelihood given the limited impact and financial gain from an adversary perspective. Denial of access to the data probably poses the greatest risk, which could invoke malware that locks access to the system - ransomeware.
Espionage. Rarely will a small business have data that is worth the effort of the theft from a competitive perspective. Again, probably not a real threat.
What Do they Need?
Most likely, the core need of these small to medium business is general IT problems; making sure their computer systems are fast and online.
What they really need is someone to sift through all the noise, and help them navigate the fears of the cyber world. They need little more than access controls and desktop AV.
They need consultants who will charge minimal fees to help them understand what they really need and what they don't...from a genuine risk and business protection perspective.