Midmarket companies are big enough to make juicy targets for attackers, yet they have insufficient IT to handle security in-house. They fall into a dangerous security "no-man's land."
Mike Rothman, president of the security research and advisory firm Securosis, compares midmarket companies' security position to the "no-man's land" between the baseline and service boxes in tennis, where it's easy for your opponent to score against you. He says about midmarket companies:
These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don't know any better.
Wendy Nather, an analyst with 451 Research, made the same point in 2011, saying SMBs fall below the "security poverty line":
Organizations below the Security Poverty Line have no in-house security expertise -- in fact, they may not even have any full-time IT staff at all. If they spend money on a security consultant, they may be able to get advice, but security also lies in the day-to-day execution, and without knowledgeable resources at their disposal, they won't be able to execute on whatever the consultant advises.
In organizations below the Security Poverty Line, Enterprise Security Information Management (ESIM) products might sit unused because nobody has time or expertise to tune them or read reports. Antivirus software might be improperly installed. "In an IT-poor organization, maintenance tasks take a back seat to the more pressing matters of outages and new installations," Nather said.
Rothman blames the security industry, which caters to large enterprises and neglects the midmarket. Security vendors focus on the biggest 1,000 companies worldwide. Big-business Chief Information Security Officers (CISOs) find it easy to buy another security server or appliance, and assign a few staff to make it work.
The security no-man's land is starting to get safer. Service providers offer firewall monitoring and spam-filtering as a service, and vendors are beginning to offer products purpose-built for the midmarket. But too many are "dumbed-down enterprise products, which doesn't really solve the midmarket company's problem," Rothman says.
Midmarket companies need security mentors to manage and teach security until the companies are ready to stand on their own, writes Dan Geer, computer security analyst and risk management specialist.
The security no-man's land is an extension of the direction the entire IT industry is moving, writes Bruce Schneier, security blogger, author, and chief security technology officer of BT. Only the largest companies have dedicated IT staffs, with others outsourcing the functions to IT providers, which also manage security. He says:
A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on -- and who increasingly accesses those systems using specialized devices like iPads and Android tablets -- simply doesn't have any IT infrastructure to secure anymore.
How about you? How are you getting along in the security no-man's land? Let us know.
Education is critical to enhancing security, enlightening users to the emerging threats and providing basic user awareness about entry points of common security breaches. However, the call for education also comes at a cost of time and money, bringing us back to the primary challenge for small and mid-size businesses -- limited security budgets. A combination of education and security are ideal, but all to often are out of reach for the medium sized enterprise. Hence the dilemma -- the security no-man's land.
Yes, Douglas, SaaS should enable midsize businesses to better secure themselves from internal and external threats. Although with so many security breaches coming down to lack of education and/or awareness, it's important that companies also spend the time (and any necessary funding) to change that part of the equation, too.
SMB's are slowly moving out of the wilderness of the 'security no man's land' with the help of SaaS software and managed services. Security as a Service is helping reduce the cost of security by outsourcing hardware, maintenance and monitoring. While no security solution is a 'set it and forget it' endeavor, the Cloud is bringing security improvement within reach for medium size businesses.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
In its mission to make car-buying simple, fair, and fun, TrueCar relies extensively on the Internet, social media, data, and -- increasingly -- mobile to reach its expanding audience of car dealers and consumers. The analysis firm is also relying on Mike Dunn, who joined TrueCar as chief technology officer on May 1, to help steer its technology investments and business priorities.
Marketing departments almost immediately latched onto Twitter as a great tool for spreading word about their brands, but Celina Insurance is using the microblog to help keep the entire company running in the case of emergency or disaster.
Everybody's talking about the rapidly growing importance of mobile channels, not only in social life, but for business too -- whether you're running a city, a hospital, or a school, selling B2B, or engaged in regular retail.
Rob Shoenfelt, CIO at Celina Insurance, is the first to admit that insurance firms aren't known as leading edge adopters of technology. But Celina Insurance isn't like most insurance firms.
When combined with training and management, today's affordable unified communications and collaboration solutions empower midsized organizations to be more efficient and productive. But only if you know how they work, and what they'll need to do their jobs even better.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Less than a year ago, we were debating whether private or public cloud would prevail. Private cloud now appears to be a clear favorite. The reason? Organizations of all sizes are getting comfortable with cloud, and vendors are providing solutions that make the adoption of private cloud straightforward and less risky.
65% of CIOs are on board with cloud, but 55% are still thinking about it. Risk is the major barrier to entry. Cloud purveyors can help to address this by providing turnkey cloud solutions targeted at specific vertical industry markets.
Security issues are all over the media today, along with condemnation of hackers who "create" them, but the sad truth is that only one enterprise in eight says it would submit to a public security audit. We need to get serious about this issue as we head into the cloud era.
Cloud services bring great benefits to IT, but they also force revisions to IT practices. One area where cloud services are having an impact is disaster recovery and business continuation.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
