Most of my long-term clients have made information security an integral part of their computing. We spend significant time on improving the security of their systems. When I visit a new client, I know what to expect. There are almost always significant deficiencies in security controls. 20% of my new clients have adware/malware that they weren’t aware of. Password management is generally awful. Most new clients are concerned about security, want issues remediated, and agree to work on improving their security over the long term. For a small minority, they want security to be put on the back burner. This is a mistake.
For those of us in the information security field, we know that security incidents aren’t a matter of if. They are a matter of when. Security should be dealt with proactively. For businesses (of all sizes), that involves creating and maintaining a formal information security program. It’s much more expensive and aggravating to deal with a security incident than having proper security to begin with. Breaches can put small businesses out of business.