My kids wanted to go to the international ice sculpture festival in Breckenridge Colorado, near where we live. The event was free, but they made us register online to get QR tickets which nobody looked at. I just wanted to get the tickets. Instead, I was forced through their painful registration process. I quickly made up a username and password and got my tickets. Did I mention that no one looked at them? And there it is. Another digital representation of me, floating around the digital ether.
In business (and personal life) I buy and sometimes just register for tools to solve problems. I hand over information and access to vendors who I think will help me run my business and life. The problem is: I never check up on that access. I don’t go back and delete my “account” or revoke permissions. I might question for 30 seconds, “am I giving out too many credentials or too much access?” but then I forget.
Google Workspace is powerful and allows you to move fast. Often that means security and IT processes take a backseat. The bigger you grow, the more people you have and the more suppliers you rely on (see my post Starting Up: A Pain in the SaaS). The more people, the more likely that someone will leave or be found unsuitable. That’s when that IT and security debt comes due.
IT and security debt can cause real problems.
According to these statistics (35 Alarming Small Business Cybersecurity Statistics for 2023) I should be alarmed. For example:
- Fact 1: 61% of SMBs were the target of a Cyberattack in 2021
- Fact 2: 80% of all hacking incidents involve compromised credentials or passwords.
- Fact 3: 95% of cybersecurity incidents at SMBs cost between $826 and $653,587.
Smaller businesses ignore security & smoother IT operations. Why?
We are busy with other things. Founders fall into the role of Unexpected Google Admin™. We are busy. We figure out Google Workspace enough to get by. If we consider using a packaged security solution, we don’t want to talk with a salesperson in order to try the product. We want to try it out in our own time.
If a tool isn’t simple, we don’t use it. When we’ve tried using a packaged security or admin solution we’ve discovered that many are not easy to use. Of course. They’re built with large enterprises in mind because that’s where the problems are biggest and that’s where the money is. They assume that the user has IT and Security experience. Or that they have time to read documentation or hire a team to do this new job. We don’t have time (see paragraph above). We want it to be intuitive and “just work” so we can get it and set it and (mostly) forget it.
We don’t like spending lots of money. We don’t yet have economies of scale. We have to run lean. Most packages are expensive. Most pricing on websites (if listed) is meant to be negotiated. We don’t have a procurement function to help us negotiate and we don’t have time to do it. We expect a reasonable price listed online that targets us.
How can we fix the problem?
The answer for SMBs is obvious: build a product that does the opposite of everything I wrote above. More specifically:
Make it easy. Simplify the discover-to-try-to-buy path. Get out of the way. Let someone try it when they want with no commitments and no friction. Let them buy it with a credit card.
Build with smaller companies in mind. Assume that the person using the product isn’t an IT Pro, doesn’t want to be an IT Pro, and has way way way more important things to do than learn your product. Don’t give them 10,000 dials to set (or decide not to set). Build in best practices by default so it is easy to set up and get value immediately.
Price it for startup teams and SMBs. Be thoughtful about pricing. Don’t charge people at smaller companies to solve a problem that they don’t have yet. If the SMB has under 10 employees, give it to them for free. Once they are past 10 people and up to 100 people, make sure the price is something that is so easy to swallow that they just enter in their credit card number.
A new world for smaller companies, with IT and security built in from the start.
We imagine a world where founders feel it is easy, cost-effective, and can get immediate value from putting identity and access management in place early. They just need to find someone who is building a solution for them and who understands how to add features and scale with them on the journey. A company that believes that it should be easy and affordable for every company to care about IT and security from the start.