Why aren't SMB's taking security seriously?

By on

This article appeared in the February 2019 issue of CRN magazine.

Subscribe now

Why aren't SMB's taking security seriously?

Small-to-medium businesses know they’re at risk, but a “we’re too small to matter” attitude and the lack of obvious ROI from security products and services see many run without proper protections. At the roundtable, experts discussed how to turn around those attitudes.

Check out photos from this event here.

Why aren’t SMBs taking security seriously?

Warren Nolan, rhipe

I think the problem is that everything’s so simple today that we perceive we are secure. We access our accounts online, we deal with the biggest global companies in the world that provide us these services and we believe that we’re secure.

But the reality is, we’re doing it over the internet. We’ve got people at the end of the mouse that can click on anything – including malware – and so this perception of security is exactly that. Just a perception.

Sean Bloch, IT Manager on Demand

Small business sees security as an expense. A medium business knows they possibly have a mandatory requirement. But the small businesses still see it as an expense, and they don’t see themselves as a riskier client. And I don’t have an answer for that, but dealing with it would be the biggest plus!

Ronnie Altit, Insentra

I think that shows we need more education, but the problem there is that the only people doing education are people who are traditionally in sales capacities.

Cyber security for a lot of people is seen as an insurance policy. And they think that we as IT people are going and selling them insurance, which is not necessarily educating them because they’re thinking “You’re just trying to sell me something.”

That’s the biggest problem that we’ve got when it comes to education, [it’s] that we don’t have public bodies that are truly embracing and advocating for security.

Atul Thapar, E-BIT Systems

I recently heard the CEO of AustCyber explain that they’re looking at certified public accountants (CPAs) being the people that they are going to basically try to train up because they’re the advisors for business.

We’re in IT and we’re trying to sell a product and if we’re not selling a product, we’re not there, whereas CPAs are there to run a business.

Paul Kingston, VIXTRO

I think the CPA thing is an interesting idea, because they are close to the customers. They speak at a different level to IT people, and it’s more about the human aspect of that. And also around budgeting. How much budget are you going to throw at this? What’s your risk? What are you going to actually do? Have a look at your business and how do you protect that? But it’s not at an IT level, it’s at a business level. So I think it’s a rounded solution, not just IT.

Andre Dowding, Net Intellect

I have friends that I know have a business and they have the attitude of it’s never going to happen to me because we’re not big enough. I asked some about things like the mandatory data breach regulation, they knew nothing about it. They had no idea. It didn’t exist for them. So, again, I think a lot of things will come down to education.

I do think the bit about the CPA, speaking to the customers rather than us, especially in a small business, that people will actually listen to their advice.

What kind of education helps SMBs to understand why security matters?

Angela Moutinho, Solista

We can’t walk in there and make a horrifying video saying “Don’t worry we’ve got this.” Because we don’t. There’s loads of unknown. We can take some of the pieces and explain the next steps. And you have to be open because I think there’s a lot of sharks circling.

Attacks are getting more sophisticated. At a company we worked with we did some phishing education. People generally get it, you don’t click on these, but the more sophisticated the attacks get the more likely that people will click on them.

It’s not that they’re stupid, it’s just that they haven’t reached that next level of sophistication in their education. We can be too condescending in our approach to the people that we’re trying to work with, to say, “You’re an idiot. We can’t help you, because you can’t help yourself.”

Unless we’re prepared to be a bit more forgiving and just break it down into business language and business terms, and language that they can understand, of course the CPA will be more trusted, because the way they talk to the customers is going to be different than how an IT person talks to customers.

I can say that because I’m an accountant, so I know that you say ‘You spend this, you won’t have that.’ It’s kind of simple. ‘You don’t protect that, you’ll lose that.’ Cut out the complexity. Cut the language back, cut the approach back and simplify it and they’re more likely to listen and break it down into incremental improvements.

Anita Sheridan-Roddick, Seccom Global

Our job is made so much easier and it’s less expensive for me to support any company if everyone there is educated. So every Seccom Global managed services client also has education services. We bundle it in. It starts with the C level, so everyone in that quadrant has to go through the education process and then it filters down.

Maria Padisetti, Digital Armour

We’ve been generally educating from the heart. And having done that for about a year, in the last three months we found customers are coming to us and asking for advice.

Also when you’re actually talking to customers, generally they interpret that this is risk, so they do trust you like an advisor.

Shane Muller, OBT

I think the mainstream media will play a big, big part.

The moment mainstream media really talk about security, suddenly it will be a non-issue and we will not have these discussions.

I went through this with cloud. In 2011 we were asking how do we address that to the SMBs. They didn’t really get the cloud. Then late 2012 suddenly it became, “Oh, yeah we know what the cloud is” because we started seeing ads all over the place for the cloud.


What kind of services can the channel use to improve security for SMBs?


Jon Barrett, Microsoft

I think the only way we’re going to achieve cut-through in scale is to somehow have a level of automated self-assessment and risk assessment at scale where if the business is willing to open up themselves to some level of automated detection, it’s the only way we’re going to get scale around this.

But that obviously means that the people they’re opening up to need to be trusted partners, so building trust in your partners you’re working with, and then opening up, in the same way that business owners would open up to a financial advisor or bank about their business and their transactions.

We need to be at that level, where they’re willing to, with trust, to allow that level of inspection and I think scale is needed through automation.

Craig Sims, Converged Communication Network Applications

I see customers out there that have got no idea what they’re protected for, they’ve got no policies or opinions on how they go about getting a green light to say that they’ve got as much protection as they can possibly have in their organisation.

I think there’s a lot more consultancy and opportunities out there around company policy in that mid-market to enterprise.

Warren Nolan, rhipe

The final thing I would say is that there is a massive, massive opportunity for you all in the channel.

You all sat here today, experts in security, and talked about companies who don’t know what they’re talking about when it comes to security.

So partner. Partner with those IT companies that are the trusted advisor and the provider of IT services to small business, but they’re not security experts.

And they need guidance, education, people that can help give their customers support and education. So there is a massive, massive opportunity for you guys. Because if it is one of the last bastions of where there is an opportunity, and there is a limited amount of people who actually know what they’re doing, then that means there’s great opportunity for you.

And building trust, I think, can go a long way to most customers being prepared to go on that journey with you if they trust you that you’ll be there. Because the reality is, as with everybody around here who knows much more about this stuff than I do, you can’t guarantee that you’re going to protect them against everything, but you can guarantee that you’ll be there when they need you. And if you’re an expert, then that will go a long way.


Ahmed Latif
Managing Director, Linktech Australia
Andrew Tucker
CEO, ITonCloud
Andre Dowding
CEO,  Net Intellect
Angela Moutinho
General Manager – Services,  Solista
Anita Sheridan- Roddick
Managing Director, Seccom Global
Atul Thapar
Managing Director, E-BIT Systems
Craig Sims
Managing Director, Converged Communication Network Applications
Dougal Hawkes
Notifiable Data Breach Initiatives, Allcom Networks
Jeremy Keast
National Sales Director, Looptech
Kirk Jones
GM Vendor Alliances, Secure Agility
Maria Padisetti
CEO, Digital Armour
Paul Kingston
Co-founder and CEO, Vixtro
Richard Byfield
Managing Director, TSS Cyber
Ronnie Altit
Chief Executive Officer, Insentra
Sean Bloch
Managing Director, IT Manager on Demand
Shane Muller


Simon Sharwood
Editorial Director, CRN


Warren Nolan
Chief Commercial Officer, rhipe
Michael McCluney
Technical Leader, Trend Micro
Jon Barrett
Modern Workplace Solutions Specialist, Microsoft

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?