Just about every business has some antivirus software and a firewall of some sort, and even during hard times, most will acknowledge the need for those basics. But what about security that goes beyond the basics? That may be a little bit harder to sell, despite the obvious need.
The basic endpoint security of desktop antivirus and antimalware is just a part of it. Security to protect the perimeter prevents those bugs from getting into the network in the first place; the desktop software is really nothing more than a failsafe. Naturally, I'm preaching to the choir here, but convincing a smaller business on a tight budget to spend more on security is another story.
An article on eChannelLine also points out that during hard times, cyber-bad-guys are trying even harder, but security does not have to suffer during the recession. In pointing out that security actually involves three parts: "people, processes and technology", we start to see that the cost of the actual technology we're trying to sell is only part of the solution. A small business can go a long way towards improving security by improving knowledge and education. Even if there is no budget for the educational component of that triad, the security reseller can at least point the cusotmer to the abundant availability of free or low-cost online resources that can be shared with internal staff.
That same sentiment is reflecdted in a recently-published paper, "Security threats: A guide for small and medium businesses", which addresses the threats to small businesses--and the need for a clear policy, user education, and of course, good technology to top it all off.