August 11, 2010 at 7:02 am
James Stover (8/10/2010)
First, small businesses should not be exempt from the rules, nor the penalties. I do agree that the penalty should be appropriate to the size of the business. However, I don't believe a small business needs a crack security team 24/7 to meet their security needs. That's just typical small biz scare tactic.
And what size company do *you* work for?
It's very easy to say everyone should follow the rules, but the problem is:
A) The rules change as the threat changes.
B) It takes a dedicated security professional to evaluate the risk and deal with it.
C) These people are *expensive* if they're any good.
D) the equipment to deal with threats (such as a hardware firewall/intrusion detection and countermeasures) is itself expensive.
E) Lawyers are inventive, especially ambulance chasers. AND THEY WRITE THE LAWS.
There is a huge difference between what Google can do and Tiny Sales Inc can do when it comes to security. Not to mention a lot of security breaches come from 0 day exploits, SQL injection, etc of third party software. How can a 10 person company who has maybe 1 dedicated IT person (for EVERYTHING) hope to deal with a problem that defeated IBM and Google?
Now if you want to argue no one should keep sensitive data (SSN, address, *name* :)) then I agree with you. But the marketing types would snivel too much, so it isn't going to happen.
Given that, and given the complexity of IT infrastructure, holding small companies to the same standards as the big companies is simply ludicrous.
August 11, 2010 at 9:03 am
I still think that disclosing more is better. Everyone will likely have some security issues, and filing them, along with some details, brings some knowledge that others can use. Especially as admins will discuss issues more openly if they're already disclosed.
I do agree that small companies can't have the same penalties as large companies. Perhaps it ought to have some percentage of revenue caps to not drive them out of business.
August 11, 2010 at 5:42 pm
There is a huge difference between what Google can do and Tiny Sales Inc can do when it comes to security. Not to mention a lot of security breaches come from 0 day exploits, SQL injection, etc of third party software. How can a 10 person company who has maybe 1 dedicated IT person (for EVERYTHING) hope to deal with a problem that defeated IBM and Google?
Now if you want to argue no one should keep sensitive data (SSN, address, *name* :)) then I agree with you. But the marketing types would snivel too much, so it isn't going to happen.
Given that, and given the complexity of IT infrastructure, holding small companies to the same standards as the big companies is simply ludicrous.
Small business owners love to overhype everything. Everything is too hard or too expensive or too much tax or too much paperwork...everything is "too" something (except too much profit, of course). Reality check: Tiny Sales is not going to have the same levels of complexity as Google. So right there, your argument falls to pieces. They can hope to be better than Google because they have less complexity.
Tiny Sales has to do accounting...as Google does. Tiny Sales can't hurt or kill people with their products...nor can Google. Tiny Sales needs an accountant...as does Google. Tiny Sales needs legal advice...and so does Google. Get my point? Running a business of any size has common elements. The scale is different, but the needs are the same. Therefore, small biz should NOT be exempt from following good security practice in the normal course of running a business. If they have to hire a security consultant then so be it. Just like they hire an accountant, or lawyer, or cleaner, or electrician, or plumber, and so on. Pay the cost, bundle into your overheads, pass on to the customer. It's fair and just and acceptable if everyone has to do it.
Plus, I never said that Tiny Sales should be held to the same standard as Google (or other 800lb gorilla). Held to an acceptable standard yes, but not Google's. Expecting your information to be reasonably safe & secure is not ludicrous and you wouldn't think so if you were the victim of fraud or identity theft because of Tiny Sales' shoddy business practices.
Having beaten that horse to death, I will say that system & data security is one area where The Cloud will really help small biz. Outsource the whole thing to Google or Microsoft or Amazon. Let them deal with staffing. Let them deal with security. Let them wear the liability (they can afford it). To me, these are the compelling reasons for small biz to embrace The Cloud.
James Stover, McDBA
Viewing 3 posts - 16 through 17 (of 17 total)
You must be logged in to reply to this topic. Login to reply