Did compdlacency kill the cat or was the cat already wounded?

Rothman hits close to home with his comments regarding SMB security. But I have to admit he is right. I've spent my career in SMB IT and have many friends who are in it also. Security is a back burner issue for many of them. Sometimes it's due to complacency, sometimes it due to lack of understanding from upper management and sometimes it's due to lack of funding. The funding can be gotten around. There are too many good open source free tools out there that will do the job as good as most commercial products. They do take a little more work to set up and maintain, but they will get the job done.

Rothman is also correct in his assessment that SMB's think that a firewall and AV is all that is needed. That may be true if you have an office that only has PC's and is very restrictive on who is given Internet and email access. If you don't have remote or mobile users, lock down your systems so that USB, CD/DVD, and floppy drives, keep all network jacks disabled until needed, monitor and restrict access via MAC address on your switch I (I know this can be gotten around it's just to make a point), scan for rogue wireless AP's, and absolutely refuse to allow anyone from outside the company to connect to your network. If you do allow any or all of these then you need more than a firewall and AV.

I think the biggest problem that SMB's have when it comes to securing their networks, endpoints and data is that they don't understand how important it is. The IT guy is usually not a security guy and often the security guy is only that because he is the one that opened his mouth at the wrong time. He doesn't have training or a security mindset so he doesn't see anything wrong with what they are doing.

I'm not sure I'd call it true complacency that affects SMB security as much as it's complacency by default. They default to complacent because of not understanding security.