Dodging Compliance Bullet Can Put SMB Security in Line of Fire

Many privately-owned SMBs are no doubt grateful that, unlike their larger public counterparts, they do not have to engage in a baffling array of complex and costly exercises to satisfy the requirements of Sarbanes-Oxley and other regulations.

However, perhaps they should spend less time thanking their lucky stars and more time assessing their security policies -- or lack thereof.

"Regulatory compliance inherently makes enterprises more secure," says an analyst with security advisor MessageLabs in a recent internetnews.com article. The flip side, of course, is that companies without compliance programs often give short shrift to security.

According to MessageLabs, just 53 percent of SMBs have appropriate security policies in place, compared to 69 percent of larger firms. Fraudsters are aware of this, says MessageLabs, leading to "an increase in targeted attacks on small businesses because they have less security in place."

MessageLabs, natch, is launching a service it says can help. The Small Business Security Clinic and Makeover is referred to in the internetnews.com article as "a kind of IT security toolkit of resources and education."

We're not sure where such a toolkit fits in, but SMBs generally have three options for security: hardware/software appliances, a software-only approach in which security functions are bundled with other applications or outsourcing the security function. The software-only approach typically makes the least sense for SMBs, according to a Processor article.

Obviously, different approaches may be required for different security tasks. According to the article, SMBs must weigh the desired level of control, the amount of maintenance required and ability of in-house staff to perform security tasks.