I read an excellent TechRepublic post on things that an SMB should have in their budget. I actually agree with most of the article's points. For instance, they point out that buying hardware today, for today's specs, is a recipe for failure: couldn't agree more. Consumer class printers don't meet business needs: agreed. You need adequate Internet bandwidth: check. You should have third party backup software that allows you to recover easily to bare metal: a must have for any SMB.
But where is security in this article? Well, there is one specific mention of security: the recommendation to purchase a hardware firewall. Okay, that's good I suppose. I mean it certainly is good advice, but here's what's missing: consulting/technical/architecture services.
What are you selling?
I'm not selling anything, just want to share some common sense. If you are convinced by this article to buy a hardware firewall, you don't have the necessary expertise in house to architect/configure/manage it. The article points out that "not only are these devices far more secure, they are also more reliable and flexible." And the flexibility is the problem in this case. What they don't say is they offer the flexibility to shoot yourself in the foot. You have to try to misconfigure your built-in Windows firewall. You also have to try to correctly configure a standalone hardware firewall. Installation matters. Configuration matters. You can actually make your business less secure by incorrectly installing a high powered hardware firewall.
There are some missed opportunities in this article as well. For instance, you need security on your backup server/appliance. As a penetration tester, I can't tell you how many times I've been able to compromise a backup server to get the goods stored on a server that otherwise wasn't vulnerable.
Also, what are the easiest ways for attackers to get in? Social engineering and client side attacks. I talked a little about social engineering in an earlier post. Client side attacks are usually dependent on out of date software patches. A centralized patch management solution is cheaper than many companies realize and does wonders for securing the computers. Trailing close behind is a centralized antivirus management server. This ensures all of your antivirus clients have current definition updates and similar configurations.
We're too small to be attacked
Whoa! If your business is financially solvent (i.e. you are making money) you have something to lose. The simple fact that you are making money means you have something to lose. Sure, others might have more to lose (making them better targets). Those 'better targets' might also have better security, making them 'harder targets.' Consider this: physical break in rates are lowest when on-site security guards are present, even though they have the most to lose. Think about what competitive advantage you would lose if your competitors had all of your IP (business contacts, product designs, 50 secret herbs and spices, etc.). This doesn't mean you should spend $1mil to protect $100k, that's just stupid. But get real, consider what you have to lose, and spend on security like you are a target (because you really are).