But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are just as concerned about security as their larger counterparts, but when their people attempt to ask questions or get the tools they need to build strong defenses, they are treated as "neophytes" or given tools they simply do not have the time or skills to learn to use properly. And because they don't have tools that work at their skill levels or have the support of the elite security community, they are sometimes left with no easy way to access the best defenses and tools available.Without a viable in-house option, many SMBs begin to seek out third-party security services that can help them do business securely. They begin to pay attention to late-night TV ads for Finallyfast.com or Internet ads that promise "spyware removal services" at impossibly low prices. And the next thing they know, small business IT administrators have made their environments even less secure than they were before.
And the situation is getting worse. As the economy shrinks, SMBs have even less time and resources to devote to security. But in difficult economic times, cybercriminals step up their efforts to hack and fool small businesses, and the number of fraudulent "security services" and solutions continues to increase. Despite advances in security technology, one could easily argue that SMBs have never been so vulnerable to attack than as they are right now.
What's needed is some guidance on how to choose third-party security services, especially when you have little or no security expertise in-house. SMB employees with IT responsibilities need to understand the vast differences between services from companies such as Microsoft or AT&T, and the technologies that are offered by startups and independent service providers that may -- or may not -- offer viable options. Next week, Dark Reading will publish a short guide about how to choose a service provider -- a report that will at least provide a few tips on the selection process.
But more help is needed. In the long run, SMBs need some means of vetting potential security service providers, either through standards organizations or a sanity-checking organization that plays a role similar to Consumer Reports. It isn't fair that the companies least able to evaluate security services -- those with the fewest security skills -- are the ones most likely to rely on third-party service providers for the very integrity of their data. It's simply too easy today for a small business to be sold down the river by a security service provider that promises the moon.
Until some method of certifying security services exists, however, I call on the most talented and savvy security professionals -- the readers of Dark Reading -- to play a more active role in helping small businesses to learn what they need to know about security. This assistance could take the form of guidance offered via online forums or Websites, where real expertise is hard to find. Or perhaps some of these savvy security pros ought to test out these third-party services -- the Finallyfast.coms of the world -- and find out whether they really do what they say they do. It seems to me that such an honest evaluation would be at least as valuable to the public as finding another fleeting flaw in Microsoft Office, if not more so.
What do you say, security researchers? How about checking for vulnerabilities in security services, as well as application code? For the folks who can't afford to do it themselves, a little help from the best in the class might be just what the doctor ordered.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message