SANS had a great post the other day on protecting small- and medium-sized businesses. As I have a small company that responds to many small-business incidents I tend to see first hand the whats and the whys. Most of my work with my own company comes from a business that has been hacked or that gets some kind of malware infection. And time and time again, when we go in to look at what happened, we see that there are no controls or very little controls in place. And, nine times out of ten, the clients have no visibility to even see if there WERE things that might be amiss. It's only when the pop-ups start, the browsers are hijacked, or the machine crawls that anyone decides to do anything.
So, we end up remediating. Then we propose actions to take to prevent the issue from occurring again in the future. Inevitably, I think it comes down to money. The economy is tough. Times are tough. Businesses are scrapping just to stay afloat. And, as such, whatever is not 100% necessary, or does not SHOW massive improvements to the bottom line gets dropped in favor of something that will help the company stay profitable. I believe the mindset is that many times it is cheaper to slap band aids on the problem each time that there is an incident rather than fix the deep rooted issues in an attempt to stay safer in the long term.
Just what I've seen.