IT professionals oftentimes talk over the requirements of small and medium-sized enterprises (SMES) with a lot of jargon. Compliance (and laws punishing data breaches) are becoming increasingly widespread, so it's understandable that it's the topic du jour. My experience is that most SMEs aren't in industries that are subject to strict compliance regimes, but they're bumping into "diet cola compliance" from governing bodies, insurers, and large vendors. This is something that we should all take notice of, because it's an opportunity to help.
A financial planning firm that I work with has encountered cyber security advisories from the New York Bar, its insurance company, and a large bank that offers investment management systems. These have been superficial checklists, but the writing is on the wall that some procedures and controls to manage security are to be expected. It's not PCI DSS, ISO, or anything so grandiose, but it's real, and it's motivating these firms to seek out some security help. They usually "didn't have the time", but the prospect of facing consequences/deadlines is changing that mindset. An investment manager needs access to banking systems to do their job. It's that simple.
I've been told that there's a "cyber security poverty line" that consultants don't want to dip below in order to make a living. There's some truth to that, but it doesn't mean that security shouldn't be accessible for SMEs. Policies, security awareness, and managing identify as the perimeter is within reach, by implementing what they already have. I can't tell you how many SMEs I've encountered aren't using MFA, let alone anything more "modern" for authentication. That's distributing, because we're in the midst of a major identity transformation.
The big reveal is that they're normally already paying for it and don't have much of anything implemented. That's especially true with expensive Microsoft subscriptions they think they need. They really need help, and expert guidance is available through MSP partners, or internally, using platforms that aren't overly complicated.
Security isn't a product and buying "stuff" doesn't achieve good security. For example, SMEs can't support a SOC, and aren't capable of using a SIEM correctly (alerts are usually dismissed and closed). Instead, they can maximize what they already have or extend it to meet identify/device management requirements. Even basic security awareness training helps, a lot. Take a look at the threat landscape, per CrowdStrike. It's the simple things, not APTs that are causing breaches, and attacks are cloud/identify based. Breached credentials and unmanaged devices can grant criminals access to vital company resources no matter how small and organization is.
I've implemented JumpCloud, and am in the process of doing with with Azure AD and Intune. The latter has been an adventure in product licensing.Those projects introduced modern authentication and a better device posture. It would be great if everyone used JumpCloud (they can download those pricey M365 licenses and get what they need), but security is important not matter what the vendor is. SMEs are the lifeblood of the economy, and they're being targeted by criminals. I've played a major rule in a multi-generational family business. The two examples I referenced are also family-run, and I more than understand that they're busy.
It took "diet cola" compliance to get them to act. Let's not forget about SMEs and the challenges that they're facing as the expectation for security increases (even when it's not a formal standard) when we talk about compliance.