In more than 25 years of work in the I/T area, I've been working for several corporations, customers and as a freelancer, and I have seen many very very different realities.

In the average, attention for security in big corps is higher (but not always) since most of them realized that a damage like a system compromise, a data theft, the stop of a service or
whatever else automatically translates in money loss or bad reputation (and consequently, money loss). So in the average big corp you see some sort of firewall, managed switches,
Intrusion Detection Systems, centralized authentication and luckily, more important than everything else, a hopefully good security policy. Quite easy, they've got the bucks.

In the middle and small companies there is a completely different perception. Most I/T is perceived not as an enabler, but as a cost, a commodity like the electricty bill, and network security is rarely taken into account. Even if there are a lot of free or low cost solutions to a lot of issues, most basical practices are often omitted mainly for two reasons: ignorance, or the will to save some money on "something that doesn't bring value", but simply has to work.

The WannaCry lesson of some days ago showed all of it. Allowing a protocol like SMBv1 to/from the Internet on a big corp firewall is something that you'll probably never see in your life (ok, never say never, but I think you got the concept). But what happened is that people are allowing everything to/from the Internet for sake of simplicity and on the assumption that Hiding NAT will protect them. Numbers don't lie: over 90 countries involved, over 200.000 infected PCs, and it seems that most of them were Windows 7, not even XP. This reveals that a lot of people and companies are relaying exclusively on the security of the Operating System, and as what happend showed, this has not been enough and will never be. And we're talking of the British National Health Service, Spain's Telefonica, FedEx, Deutche Bahn (according to Wikipedia).

Today, a lot of problems are due to what system engineers call the Layer 8 of the ISO/OSI Model: the user. The Internet brought us a wealth of information, new opportunities and new ways to communicate, but when your average workforce has to deal with technology, you cannot take for guaranteed that they will be able to do it in a safe way.

Indeed, in time, technology is more and more pervasive and new kind of menaces are becoming much more real in the horizon. Just as example, social engineering is a well known hacking practice and it doesn't take too much to get enough info about a person and steal their data. And their data could contain also your data. Most people are on some sort of Social Network, and are carelessly sharing a lot of data without thinking which impact it could have in their (and your) security. Approaching them with some kind of excuse has never been easier, and even if they are not stupid, they could inadvertently reveal precious things that could impact you. Let's face it, people simply wants to use technology without worrying about security, they want to make their job fast and easy, to let you make your money so you can pay their salary, that's it, nothing more. It's up to you to be sure they do it in a safe way.

There are tons of free Firewalls, free IDS, low cost and low power pieces of hardware to run them, but what really lacks is knowledge. The knowledge about networks, security, operating systems and vulnerabilities is something that requires years of study, experimentation and constant update, far more than medicine does. And this costs time and money. But when you have health problems, and your life is at risk, would you save some bucks and go to a shaman or do you prefer to have some serious medical assistance ?

Basic security practices can be setup with a low economical effort, but can remedy a lot of situtations. Saving some bucks today can mean a much higher economical damage tomorrow.


Do the math yourself.