AT&T's acquisition of AlienVault: Shifting an unfair SMB cyber security narrative

AT&T’s acquisition of AlienVault is a refreshing move to address a major security issue that plagues SMB’s in the US: a lack of practical cyber security solutions.  When we say practical, we mean solutions that offer a material amount of security, zero implementation overhead, and ultra low cost.  AT&T’s deal demonstrates that they are onboard with this thesis, but the narrative still needs to change. This narrative was nicely personified in a recent AP article detailing the trials and tribulations of small businesses and cyber security.  In our opinion, the article highlights how unfairly labeled small businesses are.  The following are a few points of the narrative that we think needs to change, starting with the first sentence:

“Despite the prevalence of the data invasions, only about half of small businesses said they had a clear cybersecurity strategy…”  

61% of US small businesses have between 0-4 employees, and 80% have less than 10 employees. Having both personally founded and worked for startups in those size ranges, I can identify with how hard it is to have a ‘clear cybersecurity strategy’ when you are that small. This is especially poignant when we, members of the security community, realize that most of the 4.5 million companies of this size are NOT in the business of building cybersecurity software and services. It is not fair to expect a sole proprietor business to have a cyber security strategy. We SHOULD expect the security industry and the MSP industry to continue to work to bring cost effective solutions down market so that this statistic can improve.  Chastising businesses or reacting incredulously that they don’t change their ways after a security incident is not helpful. It’s on us to help them help themselves. Especially when the next sentence of the article is a crutch for back-burner’ing security:

“Cybersecurity tends to get pushed to the back burner while owners are busy developing products and services and working with clients and employees.”

Yup, and that is not going to change.  NOT doing the above guarantees a small business will fail. A security breach is a lower probability risk than the likelihood of failing if the business owner does not develop their product.  Small business owners will always be overwhelmed building their products and handling customers.  They need solutions that they can implement with deminimis effort so they can focus on product and customers.

The article goes on to recommend small businesses take the following “basic” steps (summarized for the sake of brevity):

“Back-up all of a company’s data securely...Install software that searches for and immobilizes viruses, malware...Make sure you have all the updates and patches for your operating systems...If you have a website, learn how to protect it from hackers, using software...Tell your staffers, and keep reminding them, about the dangers of clicking on links…”

Translation: spend money you don’t have, spend time you can’t spare.

There are dozens of vendors selling products in each of the above categories, but no one is catering to all. A company with 0-4 employees, which represent 61% of small businesses in the US, should not have to invest significant capital or energy to achieve these goals, let alone a single one. These “basics” should be readily accessible to SMBs, but unfortunately they are not.

"The current threat landscape has shifted this from a luxury for some, to a requirement for all."

Back to the AT&T / AlienVault deal.  It’s pretty clear that Thaddeus Arroyo, CEO, AT&T Business gets this. He remarked, "The current threat landscape has shifted this from a luxury for some, to a requirement for all."  IDC, ISPs and MSP channel products that can scale down market and deliver comprehensive solutions to the 61% will be winners, and prepared to capitalize on these relationships when these small businesses grow.