I don't consider myself a doomsayer or pessimistic person by any stretch, but after looking at network security statistics recently, it's difficult to be rosy. Here are just a couple of highlights I came across:
1. According to Symantec's research, in 2010 approximately 286 million different types of malware were responsible for more than 3 billion total attacks on computer users.
2. The cost incurred to the average business, according to a study conducted by the Ponemon Institute, which looked at 45 organizations, was $3.8 million per year. This number included all the costs associated with the cyber threat, such as responding to, mitigating, and cleaning up after an attack. The time it took to resolve data breaches ranged from 14 days for outside attacks to 42+ days for internal attacks.
So, why are SMBs especially vulnerable? Two primary reasons: SMBs have the same security protection needs as their enterprise counterparts, yet they rarely have the internal IT skills and solutions in place to protect themselves.
In fact, a study conducted by Verizon titled "2012 Data Breach Investigations Report" corroborates this, adding "More than 90% of data breaches required only the most basic hacking techniques." The fact is that most SMBs could significantly reduce their security vulnerability by partnering with a VAR/MSP that could provide them with a proactive, managed security solution.
Before you print these stats and share them with your stubborn SMB clients, I'd suggest heeding some advice from Dr. Alistair Forbes, general manager at GFI MAX. Forbes recently shared with me the following words of wisdom:
"Suddenly arriving at a client's business and suggesting to them that the cyber sky is falling is a common tactic to sell security services and products. A gifted salesperson may be very successful in selling business on fear, uncertainty, and doubt. VARs and MSPs are better served to focus on having a long game mentality with their clients. The VAR/MSP should avoid pushing clients to immediately implement large technological change when the same security improvements can be achieved by incremental improvements, a tactic worthy of consideration.
It may not be necessary to try to re-build the business IT infrastructure overnight. Staged rollouts and integration of new products and services, especially those behind the scenes like cloud-based anti-spam and managed anti-virus are generally more successful than a complete re-build. The incremental approach avoids sticker shock and business disruption caused by too much change in a small time period."