In a smaller shop, this is usually out of necessity. As well all know, SMBs usually don't have the luxury of an expansive technology budget that would allow for extensive resource specialization, meaning only rarely is there budget for dedicated information security staff. Because of this, security tasks usually fall to mainline IT.
Because the stakes of information security can be higher in an SMB -- consider a breach's cost impact as a percentage of an SMB's revenue or the downtime impact of single location being unavailable during a natural disaster -- security can becomes a veritable recipe for keeping SMB technology pros up at night and generally stressed out.
Run With the Big Dogs
Fortunately though, some recent changes in the way enterprises consume IT services can help offset areas that have been traditional information security pain points for SMBs. Specifically, changes like increased adoption of cloud, expanded use of virtualization, and even BYOD can have some beneficial effects in a budget-strapped, security-conscious SMB.
We often hear about the security downsides of these changes -- and it's true the potential exists -- but SMB's have a few advantages in adopting these technologies that their larger cousins don't. Since these trends aren't likely to go away anytime soon -- far from it -- planning for them now gives SMBs a chance to make use of their natural strengths to adopt them successfully and securely.
How are these technologies beneficial for SMB?
It sometimes strikes folks as surprising that the technologies outlined above can actually have a security benefit. After all, aren't we always hearing how dangerous the cloud is and about the perils of a lost or stolen laptop? However, keep in mind that many of the same dynamics that make these technologies challenging to adopt in a large enterprise, at least from a security standpoint, can have the reverse effect in a smaller organization.
For example, one of the biggest challenges for cloud is when multiple cloud technologies are employed simultaneously. For example, consider a situation where a single organization employs multiple service providers, an array of internal private cloud deployments (all at varying levels of sophistication and implementation success), and a wide array of different usage scenarios throughout a number of disparate business areas.
You can imagine how difficult that would be to secure. Not only is there the legwork in discovering and vetting all of the different technologies -- some in house, some not -- and the complexities of monitoring all of the security controls and SLAs, but you also need to stay apprised as new technologies are brought online.
In an SMB, these challenges have the potential to be reduced. For cloud, it's likely that the number of deployments, both internal and with various service providers, will be fewer. This in itself has a potential benefit as it reduces the overhead associated with vetting and monitoring numerous deployments. However, it's also the case that the number of nooks and crannies where individuals might be branching out and making use of new services in unexpected ways (for example, developers making use of AWS without approval from IT) are fewer as well. It's not that this won't happen -- it still will -- it's just that the likelihood of discovering it quickly is higher because there are fewer instances and you're more likely to hear about it.
Virtualization technologies also get more complex with size -- managing 1,000 virtual images is a whole different kind of problem than managing 100,000. Not to mention that dissonance occurs quite frequently in control implementations -- and supporting policy -- when the legacy environment and the virtualized environment are supported at the same time. In other words, the technical and operational aspects of security are most difficult to manage during the transitional period where both the legacy environment and the virtual environment are in use.
For the SMB, the transitional phase of a virtualization initiative has the potential to be shorter when compared with a large organization. Why? Because there are fewer physical machines potentially in scope for migration. Also, the surface area of the most problematic situation -- legacy business applications -- is likely to be smaller.
The impact of this is that the SMB can move more quickly to the post-virtualization phase, which in turn means it can focus on refining the operational controls and processes suited to a virtual environment rather than on maintaining parallel sets of controls and processes across both traditional IT and the virtual space.
Dealing With BYOD
Lastly, BYOD. When it comes to the complexities of maintaining a managed corporate endpoint, we all probably feel that pain acutely. No matter what the size of the environment, it always seems like the security hygiene tasks required to support the endpoint keep us running in place: patching the OS, patching third-party applications, keeping anti-malware software current, backing up data, dealing with user login issues, etc. These are hard to keep running smoothly -- especially on a limited budget. Keeping corporate-provisioned mobile devices locked down and current is similarly complicated.
However, a strategic BYOD initiative -- i.e. one focused on reducing the number of managed mobile devices -- can help offset some of these issues. For example, if you allow employees to make use of a laptop that they themselves provision and potentially leverage a virtual machine image or remote access environment for access to corporate services like email, these tasks can become easier.
Why? Because you can more easily and quickly update the virtual endpoints compared with a physical device. For example, rather than remotely updating machines via an agent, you might choose to just swap out the VM they're using with one with different or update security controls. Employing BYOD mobile technologies, assuming you've thought it through and have deployed a comprehensive set of controls, can have a similar effect on corporate-issued mobile devices. It can help you focus on securing the services, regardless of how they're accessed, rather than focusing just on securing the device. Also, as with virtualization, SMBs can get there faster because of their smaller technology footprint.