Securing the Small Business and Good Bye Tech-Ed 2007 <sniff>

Well it's over. In the bag. Kaput. Tech-Ed 2007 is finally finished. To be honest, I'm actually pleasantly surprised that so many of you stuck around for the last day. Considering that my session went up against Mark Russinovich's session, I'm glad we got the turn out that we did. Great testament to the importance of this session.

I especially want to thank those of you who provided insight and feedback into the world of Small Business security during my session. It was you that made this a truly worthwhile session. So here's the summary of today's event:

Microsoft's Definition of a Small Business:

  • < 25 PCs
  • 1-49 employees
  • Total = 39 Million worldwide

Challenges Facing Small Businesses:

  • Size of the IT Staff - The typical small business typically has 1 or less dedicated IT staff. (I'm not talking about those of you who is deliver IT services to most Microsoft partners.) If the smallbiz is lucky enough to actually have a full-time IT person, that guy is usually an IT Generalist, the Total Package. He's not just worrying about security, he's also the guy keeping the mail servers running, backing up the SQL database (and doing the recoveries!), setting up new employee laptops, and often getting tasked with setting up the new phone system. Many times the one-person IT staff is also the accountant, cleaning staff, receptionist, sales team, etc.
  • Lack of Funds - In most cases, the small biz is dealing with smaller budgets and tighter margins. It's hard to think of implementing solutions for "future" problems, when you're worrying about making monthly payroll and keeping the lights on. One of the attendees today had a great point. If there is a solution that they feel they really need, and the customer just doesn't have the capital to invest, the partner and the customer should think about looking into Microsoft Financing for Small Businesses. (TBH, I've never heard of this, but if it's good...I may try and finance a new SAN for storing my recorded TV on Media Center.) Apparently the financing will also allow cover the partner fees as well. Everyone wins!
  • Perception - Let's face it, too many bad partners are out there ruining the good name of hard working, good partners. They show up at the customer site and immediately launch into a 20-minute sales pitch with a goal of "flipping licenses". No surprise that a lot of small businesses are wary of any external vendor. As I mentioned during my session today, my wife is a Microsoft alum and worked for a small business before coming to Microsoft and later went back to a small business after leaving Microsoft. I had her review my notes last night, since she knows alot about this area. When I said small business owners were typically "risk averse" she said, "Typical Microsoft attitude, Kai. Small business owners are more willing to take risks than most of your enterprise customers. If not, why would they strike out on their own to start a business from scratch? Entrepreneurs understand risk way better than most." (Good point are right again, although I do still think I need the new XBOX 360 Ultimate.) So to edit my point: The Risk/Reward for Small Business needs to be VERY high when using an external vendor. Entrepreneurs are used to doing it all by themselves, so when they call you in, you better have your act together.
  • Risk Intolerant Infrastructure - This point deals with the actual network environment that exists in most small businesses. They don't have the luxury of SQL Servers that are using 8-node cluster solutions for high availability. They typically don't have tape libraries. They are usually a single (maaaaaaaybe two) server shop and that server has got to be up for them to pay the bills. They can't sustain a "server down" situation and remain solvent very long. That's what I mean by "risk intolerant". Those of you who've seen my speak, know that I constantly tout security as nothing more than "risk management". Especially true in the smallbiz space. Why do I need to implement a solution that would risk my existing uptime, even if I understand that long-term it'll help me with security?

So the question is, what do we need to do to fix the problem? How do we get past the small IT staff/lack of funds/perception/risk intolerant network issues? Here's how:

  1. Become a Trusted Advisor, and stop being the Sales Guy! - I'm not saying that you shouldn't sell solutions, but I am saying that you should have a far nobler purpose for being onsite. You need to sit down, and listen to their concerns. You need to truly understand their business and what is important to them. What data is important? Is it customer records, intellectual property, accounting info? Where is it kept? How does it flow across the network? What risks can this customer accept and what will absolutely shut down his business? By taking a genuine interest in understanding the business and not trying to start slapping "technology solutions" into the equation, you will truly be using security as a business enabler and not allowing it to become a business hurdle. The customers look to you to be fully knowledgeable on potential risks that could impact their business. Do they deal with customer healthcare info? If so, what do YOU know about HIPAA? If they are going to be doing credit card transactions, will they be forced to comply with PCI DSS? As one gentleman (and small business owner) mentioned today, "I want my vendor to be the Subject Matter Expert on a topic, and he darn sure better know more about it than I do!" Everyone hear that? Remember that small business owners might not always see the threats facing them (which is why you're there)...and you better be up to snuff on the risks! Be careful to not go in "Selling FUD" (that's fear, uncertainty and doubt). I see and listen to soooooo many security vendors (including some of my own co-workers) who get up there and try to scare people into buying a solution. "Do you realize the number of people getting hit by SQL Injection are staggering?? !" (Hmmm...I don't even use SQL Server in my small business.) Is selling FUD effective? Sometimes. Is it effective long-term and does it help you achieve the role of Trusted Advisor? Absolutely not! Always aim to be the Trusted Advisor. Not only is it best for your business, it's the right thing to do.
  2. Stop the "Tech Talk" and learn to "Talk Business" - IT Pros are comfortable having discussion on the finer points of Public Key Infrastructure deployments, tweaking registries, and figuring out the risks that cross-site scripting attacks present. However, business customers are not. If you want to be taken serious in the world of business, you need to "up-level" the conversation to that of a "business discussion". Understanding terms like "cash flows", "asset valuation", " accounts payable", are all important. When you translate "tech talk" into "business talk", you will be better able to understand the customer's business and the best way to help them. It may even help you understand your own business better too!
  3. "Ridiculously Obvious" - Just because it's obvious to you and your team of IT Pros, doesn't mean its obvious to Tim and his small business accounting firm. (I'm guessing that there are probably some accounting practices he'd consider "ridiculously obvious" that you're probably not doing either!). Simple things like changing passwords frequently, having individual accounts for each employee, turning on the auditing, patching, etc. are things we as IT Pros typically do with ease...but may not be on the minds of our customers. Remember to start implementing the simple things that quickly and cheaply increase security in the organization. Stop thinking about how a 50-seat deployment of an anti-virus solution needs to be the first step in securing the business. One important thing to remember here is to remember the tone. Being condescending isn't going to help you win customers and influence people. What we need is a Trusted Advisor, not Nick the Computer Guy from Saturday Night Live..
  4. ROI doesn't need to be just "good", it needs to be EXCEPTIONAL! - Smallbiz owners are very focused on where they invest resources. They have to be. They can't throw a million dollars on a project that "just didn't work the way we planned". Every dollar is key. The need to get as much "bang for the buck" as possible. That's why I'm a big fan of implementing things that are extremely effective and extremely inexpensive. Here's a list of the ones I mentioned today:
    • Microsoft Security Awareness Toolkit- Probably the best bang for the buck you can find. Increasing user awareness around security will help cut down on simple mistakes and raise concern for true security issues. Doing quarterly security training, using security posters, videos, etc. are all great ideas for increasing awareness. However, no one likes to create any of this stuff themselves, which is why the new Microsoft Security Awareness Toolkit is such a great tool. Videos, posters, PPTs, and templates for bulletins and newsletters are already finished. Can't beat that.
    • Microsoft Security Assessment Tool - One of the best tools for helping you understand the business discussion with your customer is the updated Security Assessment Tool. It is something where you sit down and discuss this with your customer. A lot of the questions are technical, so you may have to help provide answers, but it will really help you identify the areas that your customer needs to focus in on. It helps provide technical, organizational, and operational solutions to the customer. You can take the results and compare them with others in similar industries and businesses of similar size. Here's a couple of screenshots:



    • Microsoft Baseline Security Analyzer v2.1 (Beta) - Most of you are familiar with this tool, but you may not have thought of using this to analyze customer network environments. This will help you identify some common risks on the customer networks. It also presents the material in a nice format, so it's easy to understand and view. The current version in Beta will also run against a Windows Vista machine. Feel free to use the RTW version if you don't like Betas, but I've had no issue with the Beta at all.
    • Security Guide for Small Business - This is an absolutely fabulous resource that you can leave with customers, or for those who aren't 100% convinced they need to hire an external vendor to do the security for them. It explains information security in simple terms and really helps them take care of the easier issues. Things like having individual user accounts for each employee. You can download the guide and share in softcopy, or even take it and get it printed. It even helps them create a written Security Plan and provides suggestions for creating things like Acceptable Use Policies.
    • Small Biz Blogs - I can't even begin to think of one better and more current than Susan Bradley's SBS Diva blog. As an SBS user and an accountant herself, Susan always has great insight into the world of small business form both a technical and business perspective. I especially love how she talks about things like Quickbooks and the challenges getting it to work on Windows. Definitely worth a look! You might also check out when the Microsoft Across America is in your town. Free events for small business owners and for Microsoft Partners as well.

By the way, for those of you who did stick around, I want to apologize for the Friday lunch fiasco, where the Orange County Convention Center didn't have enough food and people had to wait to get a burger. You guys paid good money to be here and I wanted to tell you that the issue has been noticed and hopefully resolved. Please be sure to put this on your evals so we don't have it happen next year!

Travel safe everyone! Thanks for your spending your valuable time (and money) with Microsoft this week.