Small businesses do not have IT departments, and they certainly don’t have IT Security teams. What they have are a few licenses for the most common security products (anti-virus, firewall, etc.) set to the most generic configuration because they don’t have the time or expertise to tune them. Small businesses do not have time for security; they’re too busying trying to stay in the black.
Large companies do have IT departments and IT Security teams and a lot more security products that the IT Security team spends a lot of time tuning so that the large business can get larger without exposing too many vulnerabilities to malicious outsiders. Large companies spend a lot of money on security; consequently security product vendors build tools and devices aimed at the large “enterprise” market.
Do you see the disconnect?
You can’t berate small businesses for not doing enough or their part or whatever you want to call it when the market is not providing them with the means to defend themselves.
The digital forensics market is a great example. There are, for all practical purposes, two options when it comes to highly capable and relatively easy to use forensics tools. But in order to get the maximum capability from these tools you also have to buy very powerful hardware, extra storage, and other things because you can’t do the technical heavy lifting without them.
On the flip side you have small, single-function programs and scripts that are not easy to use (for the non-technical small business owner), but are cheap or free. To put it another way: you can either buy a massive car-repairing robot that speaks English and does not bother you with the details of what it is doing as it services your vehicle, or you can buy the discrete tools necessary to work on a car and a Haynes manual and try to sort things out yourself when the engine starts making funny noises.
Is the security industry simply responding to the market? It certainly is and I’m not going to fault anyone for that. Selling to small businesses is also a lot harder than selling to a big company; more effort to make the same revenue. But it’s not like small businesses aren’t targets, and if I want to get at Big Company X I’m not going to attack them head-on, I’m just going to figure out who all the small sub-contractors and suppliers Big Company X uses and hit them because I know their IT was set up by the owner’s secretary’s nephew who knows all about those inter-webs and whatnot.
So are you a security company or are you a company that sells security products? A security company would be finding ways to make everyone more secure; we already know what security product companies are doing.