smb security advice: don’t read this article

If you want to read a poorly crafted article, check out this one today from McAfee: Five Simple Steps SMBs Can Take To Prevent A Disastrous Data Breach. May as well check out these five steps, keeping in mind this is geared to the small/medium business segment.

1. Conduct a Candid Data Quality Assessment – identifying your data is a noble goal, but for 1 of 5 steps for an SMB to actually prevent a data breach, this item has zero actionable value. And let’s just get this out of the way now, even though it permeates the article: Your language is for that of an enterprise with a robust security maturity; not an SMB who is going to go, “Huh? Ok…tell me *what* to do.”

2. Create a Detailed Description of all Data Touch Points – Data touch points? Are you kidding me? I understand the point here, despite the lofty enterprise-level wording, but I was hoping by now I’d have seen some mention of patching your systems. Oh, and this is step #2 that isn’t actually doing anything; it’s just about taking inventory (which itself should just be one bullet point).

3. Conduct Periodic System Reviews – Another noble item, but for most SMBs, it’s about getting things done more so than yanking on the reins and slowing things down to gather the security ramifications of applications that are rolled out. I was really hoping this item would talk about actual periodic system reviews, which anyway itself is so vague to be useless. Every SMB is just going to “do a system review” that is half-assed, and then say go ahead.

4. Develop Comprehensive and Specific Security Policies – The first overt bit of upsell for McAfee services. In fact, I’m not even sure what the text has to do with the bullet point, which is useful for a security program, but again doesn’t prevent shit. And if anyone is going to write a policy that gathers dust, it will be an SMB.

5. Deploy Comprehensive Solutions – And here’s the big marketing/sales slap to the face. Also, you might as well tell an SMB, “To prevent data breaches buy security tools that prevent data breaches.” Yeah, great advice. At any rate, the description given for this monolithic comprehensive security solution means nothing to an SMB and is not actionable. Scales, easy to implement and minimal maintenance, and supports all places where data resides.

My advice on making a better checklist is to drop the enterprise-level lingo and get some actual actionable bullet points. The items have merit, certainly, but are useless to SMBs with bounded time and staff and talent. All of these bits of advice turn into “go-get-em” initiatives that won’t go anywhere because they take time, require completeness, and don’t even have medium-term results. Sure, the SMB may find out all sorts of things about their data, systems, data touch points, and policies, but none of that actually *does* anything.

So that’s it. No advice on patching. Not even some advice on desktop malware protection or even network layer malware detection (which I was expecting and would have *accepted* coming from McAfee…