Information Security in the small business owner mindset still seems to be very much stuck in the 'I have a firewall, I am safe' thought track. Whilst most owners seem to at least understand the concept of having some form of security very few have actually followed through with implementing any security practices.
Most thankfully ensure they have some form of anti-virus software running on their computers and the standard Windows firewall. Both of which are decent enough and in most cases are actually all you need to protect your business. However the problem is that whilst it sounds great to say you have anti-virus and the 'firewall', people do not update them and don't care what they do on the pc.
Imagine this situation, you are going to do a presentation at a major client. You take along your memory stick and your client plugs it into their computer and instantly your presentation is deleted off the memory stick due to some virus infection. Hopefully you have other copies available to carry on the presentation but the bigger problem is what is your client thinking of you at that moment?
Surely this guy uses anti-virus? who doesn't these days? Maybe this was one of those random moments in IT that do just happen and you are able to laugh it off and move on, however the potential fall out is considerable.
If you are tendering for business from this client and will need to keep their information, a incident like this could spark worry in your clients mind. If the memory stick is infected, then is the computer infected? If the computer is infected how many in the office are infected? Is the file server infected, possibly with spyware sending information out? Are the computers patched?
In a world where information is everything and personal information so easily exploited it is certainly in the small business owners best interest to a minimum baseline of security standards in place. The attitude of I have a firewall has not been sufficient for many years now.