There is an entire world of small and mid-sized businesses that are absolutely helpless in front of the kinds of attacks that we call “basic” in infosec. Invoice spearphishing, BEC, credential harvesting – these are the kinds of things we think of as entry-level hacks.
Ok, I’m a little angry here. I’ve heard a dozen stories this year from professional services providers like accountants and lawyers and MSPs about the jargon, contempt, and expense from enterprise product companies and infosec consultancies.
I’d like to challenge every infosec pro: can you talk to your friends, barista, gardening service, local cafe owner, bookkeeper, day care provider, personal trainer, housekeeper (really, any person whose job is actively being replaced by the gig economy) and find out if their business has implemented 2FA? If they don’t understand what you’re talking about, can you explain it clearly and helpfully enough that they’re happy to become the internal advocate at their SMB for more security?
If you can, thanks. If you can’t, ask yourself and your company and your community: what are we doing to protect the half of American workers who don’t work at enterprises large enough to force security measures and profitable enough to pay for them?