We don't need an amateur small-business infosec army

I'm sure that the hearts of small business lobby groups are in the right place when they call for more involvement in Australia's national security. But maybe they should fit their own oxygen masks before offering to assist other passengers.

Earlier this month, the Council of Small Business Organisations of Australia (COSBOA) issued a media release, in conjunction with the Australian Chamber of Commerce & Industry (ACCI) and the Australian Industry Group (AI Group), referring to small businesses as "the eyes and ears of the community", and for the small business community to "accept its role as a key part of the security needs of Australia".

"Small business people are found in every community in Australia whether that be urban, regional or remote. Small business people are also heavily represented in the online business community," said the joint statement from the three organisations' chiefs.

"Small business people are inherently aware of what is happening in and around their businesses; by their very nature they will know when something is amiss or not quite right," they wrote.

"In this current global conflict, information is vital for security organisations and anything odd should be reported."

No.

We don't need a bunch of untrained amateurs reporting everything that's "odd", that is, unusual or outside their personal experience. Especially not when we already have a significant proportion of the population imagining that refugees are terrorists.

That master of understanding security Bruce Schneier documented cases of half-baked security scares in his 2007 essay, How We Won the War on Thai Chili Sauce -- including, yes, a time when three London streets were evacuated because chef Chalemchai Tangjariyapoon was wokking up some fresh kitchen supplies.

Schneier explained why we don't need these amateurs back in 2006, after a mobile phone salesman of Indian origin had been hauled out of a taxi for playing The Clash's song "London Calling", with lyrics including the line "War is declared and battle come down".

"I was in New York earlier this month, and I saw a sign at the entrance to the Midtown Tunnel that said: 'See something? Say something.' The problem with a nation of amateur spies is that it results in these sorts of results. 'I know he's a terrorist because he's dressing funny and he always has white wires hanging out of his pocket.' 'They all talk in a funny language and their cooking smells bad.' Amateur spies perform amateur spying. If everybody does it, the false alarms will overwhelm the police," Schneier wrote.

As the saying goes, if you're trying to find the needle in the haystack, you don't add more hay.

However, there are plenty of things that small businesses can do that would dramatically improve security for everyone, and they all come under one heading: Fix your shit.

Small businesses are renown for shoddy information security practices. Australia has very few enormous enterprises, and only 3,614 businesses with 200 employees or more. The median small business in Australia is one and a half people, typically a tradesperson with a part-time office person.

So when COSBOA talks up the "small business community", what they really mean is, well, people. Ordinary people.

And we all know how well ordinary businesses and ordinary people handle their information security needs.

They don't.

"Businesses say that protecting their online information is important, but when you ask them to prioritise what they're actually doing in their business, we find that the reality is that it's very low on their list," Michael McKinnon, AVG Technology's security awareness director, told ZDNet.

According to Department of Communications statistics [PDF], only 27 percent of businesses back up their data and hold it off-site, only 21 percent have a data recovery plan, and only 59 percent install anti-virus software.

Although 55 percent of businesses describe their online information as important, only 2 percent list the theft or damage of their online data as a business priority.

What small businesses could most productively do to help national security is to learn to use and secure their own technology, helping to create a resilient society. Sort your passwords out. Patch your computers. Help make identity theft and money laundering difficult. And lock up your dangerous stuff.

Our intelligence agencies don't need yet more haystack built out of ignorant small business feels.