I had many opportunities to talk to stakeholders in different organizations, big and small, about software as a service and cloud services in general. A typical major concern is security. People usually fear what they don’t understand or what they perceive outsider their control. Questions like “where my data sits?” or “who has access to my data?” are reasonable and must be addressed properly by the service provider in order to win customer trust. But I firmly believe an average cloud service provider will deliver better and safer services compared to an above average SMB IT staff. Why?
These days I am going through Cisco’s 2016 Annual Security Report (http://www.cisco.com/c/m/en_us/offers/sc04/2016-annual-security-report/index.html) which, by the way, is a very good read for every IT professional. There are many interesting topics and industry insides but one of them got my attention and supports my statement above. Are Small and Midsize Businesses a Weak Link to Enterprise Security? As any other company in an economy, SMBs are entrusted with customer information. Actually there are many small companies that hold similar data about me to what big names of the economy hold. SMBs are as responsible to protect this information as Enterprises are.
Cisco’s report shows instead that SMB’s defenses are getting weaker, not only compared to larger companies but also to their previous security levels. I will only take two examples: 48 percent of SMBs said in 2015 that they used web security; 59 percent said they did in 2014. Only 29 percent said they used patching and configuration tools in 2015, compared with 39 percent in 2014. Moreover SMBs don’t usually have a higher ranking responsible for security and also don’t think they are a high-value target for online criminals. Processes to analyze incidents and eliminate root causes are most the time missing. Resources are also scarce as security is less a high priority topic compared to larger companies.
I think my point regarding security level in SMBs is quite clear, leaving me with only a few words to add on SaaS and cloud services. Even an average provider of cloud services will have dedicated and trained staff, better processes and more resources dedicated to security compared to most of the SMBs. Service providers live on this services revenue and they cannot afford public exposure for data loss or corruption. Software platforms used for SaaS services have better chances to be up-to-date, patched against known security issues, better protected by dedicated security mechanisms and better looked after by qualified staff. In fewer words: a safer choice for SMBs.