An analysis of Ross Anderson's original commentary, summarized for today's business owners.
The Real Problem Isn't Technology
When we think about cybersecurity, it's tempting to imagine it as a purely technical puzzle: stronger passwords, better firewalls, smarter software.
The Economics of Insecurity
Ross Anderson shows that insecurity is often the rational outcome of how markets work. Here are key lessons for business owners:
Who Pays, Who Cares
In banking, fraud rates were lower in the U.S. because banks had to reimburse customers. Where customers bore the cost, banks slacked off.
Tragedy of the Commons
Hackers hijack small, poorly protected systems to attack giants. But when investigated, it's the small business that gets flagged as the weak link.
Why Insecure Products Win
Cheap software beats safer alternatives because customers can't see quality differences. But when breaches happen, "cheap" becomes most expensive.
"If you're the one who will pay the bill when data is stolen, you can't wait for someone else to protect you."
The Small Business Reality
You're the Pawn
Even if you aren't the direct target, you can still be the pawn that pays. Small systems become stepping stones for larger attacks.
Liability Follows You
When client data is exposed, trust may be lost forever. The "cheap IT solution" becomes your most expensive decision.
No Second Chances
Big tech can "ship fast, patch later." Small businesses can't afford that luxury without risking everything.
The Attacker's Advantage
Just like lemons in the used car market, "cheap IT" looks good upfront but leaves you stranded when things go wrong.
Modestly resourced hackers can find vulnerabilities faster than you can fix them—unless you've got a team watching proactively.
Three Critical Lessons
Don't Wait for Version 3.0
Big tech companies can afford to "ship fast, patch later." You can't. If you expose client data, you may lose trust forever.
Bad Security Drives Out Good
Just like lemons in the used car market, "cheap IT" can look good upfront but leaves you stranded when things go wrong.
Attackers Have the Advantage
Even modestly resourced hackers can find vulnerabilities faster than you can fix them, unless you've got a team watching your systems proactively.
The Good News: Flip the Script
You don't have to play this losing game alone. Proactive security programs flip the incentive structure in your favor.
Instead of waiting for regulators, insurers, or hackers to dictate your future, you can take control with a proactive security strategy.
Shift Liability Back
Document a Written Information Security Plan (WISP) and prove due diligence to control your liability exposure.
Cut Risk Exposure
Deploy 24/7 monitoring, patch management, and insider-risk prevention to stay ahead of threats.
Protect Client Trust
Show clients you don't just meet compliance—you exceed it, building lasting relationships.
Just like you wouldn't wait until a fire to buy insurance or install sprinklers... Cybersecurity is not something to fix after the breach. Proactive investment protects your business, clients, and future before disaster strikes.
The Cost of Inaction
Years of Relevance
Anderson's insights remain true today: insecurity is often rational for vendors and hackers.
Existential Risk
For small business owners, insecurity isn't just a problem—it's existential.
Breach to Ruin
One major breach can destroy years of reputation building and client relationships.
SPM Advisors: Your Security Partner
We design proactive security programs that work for small businesses in Central Virginia and beyond.
Assessment
Evaluate your current security posture and identify vulnerabilities.
Strategy
Design affordable, big-business-grade security tailored to your needs.
Implementation
Deploy 24/7 monitoring and proactive protection systems.
Support
Continuous monitoring and updates to stay ahead of threats.