I have already started to hear a number of security professionals rebroadcast a new McAfee report about small to medium business (SMB) owners in America. McAfee is said to show that the business owners are naive and unprepared because they do not focus their time on security vulnerabilities, even after they suffer a breach.
My problem with all this is that none of it seems to come from a risk management perspective, which threatens to undermine the credibility of the whole study. For starters, McAfee sells security products, so of course they are going to try and say that more concern is needed in the market. Just last month they “pledged a renewed focus on the small-and-midsize business market, where the security firm said it’s beefing up its product line and sales support.” The more concern, the more product you buy, right? Second, what qualifies McAfee to say that an SMB’s approach to risk is incorrect? They do not make a strong case to show that SMB behavior needs to change for any truly compelling reason other than to be more secure. That argument goes over like a lead balloon in the boardroom, I can tell you for certain. I wish it were another way, but the simple fact is the SMB owners do risk management every minute of every day as a matter of survival and when they do not perceive security needs, then why does McAfee feel they are the ones who are qualified to judge behavior?
Let me try to put this in perspective. A company formerly owned by Halliburton was awarded a no-bid contract to be the electrical contractor for US facilities in Iraq. The latest news is that this giant company is accused of having such improper risk management practices that they literally kill innocent soldiers:
Although it was aware of the problems that caused the deaths of Everett and Maseth, KBR did not make repairs that could have spared the lives of US soldiers, said Crawford.
“KBR has claimed that its contract did not cover fixing potential hazards, only repairing items after they broke down,” she said.
Many security professionals who call upon their employer to plan for improvements are often faced with budget shortfalls, and must tangle with managers who will do whatever they can to avoid making changes and adding workload/cost to their project plans. The stories about Halliburton’s old subsidiary sound familiar:
Debbie Crawford, who worked as an electrician for KBR in Iraq, drew a grim picture of incompetence, lack of accountability, poor leadership and poor workmanship by KBR.
“Qualified electricians found it difficult to deal with the complacency, the lack of leadership, the lack of tools and materials, and the lack of safety… Time and again we heard, ‘You’re in a war zone, what do you expect?’ and ‘If you don’t like it you can go home,'” she said.
Indeed, what do you expect from risk management? The NYT just revealed that these electrical problems are not an isolated issue:
And while the Pentagon has previously reported that 13 Americans have been electrocuted in Iraq, many more have been injured, some seriously, by shocks, according to the documents. A log compiled earlier this year at one building complex in Baghdad disclosed that soldiers complained of receiving electrical shocks in their living quarters on an almost daily basis.
Electrical problems were the most urgent noncombat safety hazard for soldiers in Iraq, according to an Army survey issued in February 2007. It noted “a safety threat theaterwide created by the poor-quality electrical fixtures procured and installed, sometimes incorrectly, thus resulting in a significant number of fires.”
The Army report said KBR, the Houston-based company that is responsible for providing basic services for American troops in Iraq, including housing, did its own study and found a “systemic problem” with electrical work.
But the Pentagon did little to address the issue until a Green Beret, Staff Sgt. Ryan D. Maseth, was electrocuted in January while showering. His death, caused by poor electrical grounding, drew the attention of lawmakers and Pentagon leaders after his family pushed for answers. Congress and the Pentagon’s inspector general have begun investigations, and this month senior Army officials ordered electrical inspections of all buildings in Iraq maintained by KBR.
With this in mind, the fact that McAfee is making news about potential bugs in IT code at resource-constrained SMBs seems to pale into insignificance. What damage lays ahead for those SMB who do not heed the warning?
I wish it were some other reality, but that is the tough situation of managing risks in IT when compared to overall business risks. Without compliance terms, such as the Payment Card Industry Data Security Standard (PCI DSS) that calls out specific fines for mishandling cardholder data, McAfee does not appear to have a standard of due care/diligence to call upon. That unfortunately, makes security reports, while statistically significant and interesting to some degree, little more than fear-based marketing.
This opening paragraph from SC Magazine is like fingernails on the chalkboard to me:
Small and medium sized businesses (SMBs) have developed a false sense of their own security and remain naïve about impending threats.
False? What is false about the decision to spend resources on something other than McAfee SMB products? Naive? Maybe they have decided that the impending threats, and the week of recovery time, is a risk they have to run and are willing to accept. Show me the data that says they are endangering other people’s lives, or causing external harm for which they are not being held accountable…and then I would start to understand the call to attention.