Hi Brendan
I have not read the article so cannot comment on it directly, however a few points I would like to make from my own experience;
People understand the risks faced in the real world. Thats why we deploy burglar alarms on our premises, have a safe to store important documents and have policies in place to ensure a safe working environment. If my company is a small professional firm then I would deploy burglar alarms and ensure I had good locks on the doors. If my company trades in diamonds then I would ensure that I do have "an armed guard and 4 rottweillers" roaming the building.
Securing your business is all about risk management. You identify the threat to your business, be that burglars, theft from staff, fraud or fire. You then decide what you need to put in place to manage that risk.
In the IT world the risks are not as easily understood by business people and to a certain extent not by a lot of IT people either. However once you deploy computers and/or connect to the Internet, there are still very real threats to your business. Computer viruses, hackers and inhouse threats exist and need to be managed.
Computer viruses are a fact of life, anyone who has a PC has at one stage or another come across a computer virus, just look at the IT forum on AAM. The risk assesment that has to be made is, what impact will a computer virus attack have on my business? This is in the terms of lost productivity, lost revenue and the cost of cleaning up the infection. You then manage that risk the same way you manage any other risk to your business.
Hackers are real and are a threat. The image of someone hacking into your network to steal money is far from reality (unless you are a prime target like a bank etc.) Hackers attack computers to use them for various means ranging from the pure thrill of "owning" someone elses computer, boasting to their friends how many computers they "own" , or using other computers to attack their real target thus hiding their identity. A point to note is that these hackers also employ automated tools that identify and exploit unprotected systems not caring where those computers are. Again this is a real risk and one that needs to be managed. Can your business afford the impact of discovering your systems have been compromised? What about the cost of fixing the breach and the damage to your reputation? On my own PC at home my firewall blocked an attack from a server located in the First Federal Bank of Boston's network. This machine had been automatically attacked and exploited and was then targetting my machine. Having deployed various security tools on my PC I was able to detect and prevent that attack. What damage would that have been done to the bank's business if their server had attacked a major customers system and not some Internet user in Ireland?
I agree that there has been overhype by certain sectors of the IT market, but there is still a lot of truth amongst all the hype. Computers make it easier and quicker to do things including spreading viruses and hacking into systems. While a burglar can only attack one company at a time, a computer virus or hacker can hit many companies at the same time.
From my experience, a lot of small businesses spent little or nothing on managing the risks posed by viruses and hackers simply because they do not understand what the risks are. Once you understand the risk you can manage it appropriately.
C
Major disclaimer, I work in the IT security business.