Just a few years ago, information security used to be all about education. People and organisations just weren't aware of the threats - apart from a few headline-grabbing examples of malware such as the Melissa worm, ILOVEYOU or the Anna Kournikova virus, the risks of which seemed to diminish over time.
As we know however, the past ten years have seen a shift from such examples and towards more complex forms of attack. Social engineering, targeted attacks, web-site drive by, man-in-the-middle, spyware and trojans, indeed, barely a month goes by without some new form of attack being documented and publicised. What with an increasingly complex pool of devices to protect, companies and security vendors have to remain one step ahead. This would seem self-evident, wouldn't it?
The fly in the ointment is when businesses don't think they are likely to be affected. As we reviewed the results of our 2011 SMB threat awareness poll, we were pleased to see how over half of smaller companies surveyed were familiar with a variety of current attack vectors. Clearly things could be better - there is still work to be done but it's a good start.
Alarm bells started to ring when we saw how respondents didn't believe that they would be targeted at all by such risks. Two possible conclusions can be draw: first that respondents that didn't understand the risks also believed that they were unlikely to be affected anyway, so why bother finding out; second, that they did understand the risks but they just didn't consider themselves to be in the firing line. It's a bit like like travelling to a foreign country without reading up on local issues or ignoring any advice, simply because of the delusional attitude that tourists exist in some kind of protective bubble.
Security breaches do happen to smaller companies, however. Non-targeted attacks are by their nature indiscriminate - the bad guys don't care what size of company is being hit. And as for targeted attacks, it may come as some surprise to some respondents that 40% of such attacks are directed at smaller companies, compared to only 28% aimed at large enterprises. Anyone who thinks that they can just keep their heads down and stay out of trouble is sadly mistaken.
So, more education is clearly necessary - not just about the threats, but even more so, their likelihood for smaller businesses. Nobody wants to waste money on unnecessary levels of protection and onerous policies, but burying one's head in the sand is not a valid alternative.