SAN JOSE, Ca. – McAfee has released research finding from a global study that midsize organizations are cutting their security budgets at the same time that cyberthreats are escalating. The study found that more than half of midsize companies surveyed globally have seen more security incidents in the past year, and a single midsized company lost $43,000 on average to security incidents. Meanwhile, the majority of these same companies reported spending freezes on their IT security budgets.
“In the global study, 56 percent said security spending was flat, and 19 percent said it was decreasing while only 25 said it was on the increase,” said Darrell Rodenbaugh, senior vice president of global midmarket for McAfee. “The US numbers were pretty similar, with 51 percent flat, 23 percent increasing and 26 percent decreasing. In Canada 64 percent were flat, 27 percent increasing and 9 percent decreasing.”
The survey looked at companies with between 51-1000 employees, in nine different countries (Australia, Canada, China, France, Germany, India, Spain, the United Kingdom and the United States) with a minimum of 100 companies per country in the sample size. The objective, Rodenbaugh said, was to understand the real costs companies are facing today, as well as understand their level of effort in security and the amount of money they spend when a threat hits.
Rodenbaugh said they walked away with three general findings.
“First, security threats and the number of incidents have increased. The number of midsized companies that said they sufferered an attack showed a 71 percent increase from the summer of 2008. We think that’s fairly dramatic. The majority of companies also said they are seeing more threats, more incidents, with 56 percent seeing an increase in threats.
Secondly, organizations are spending lots of money reacting to the threats. A typical company globally spent $43,000 on IT incidents. Interestingly, the U.S. was well above the global average, at $75,000, while Canada was well below it, at $23,000.
The third finding is that organizations are freezing or cutting their IT budgets. And the result is that while they spend less time and money on proactive management, they spend more time and money recovering from attacks.
“That confirmed what we assumed would be the case at a gut level,” Rodenbaugh said. “In the U.S., the typical IT professional spent six or more hours a week proactively, and less than a day recovering. In Canada, it was less than a couple hours being proactive, and the time to recover was several days. The time spent in proactive management paid for itself when the company had an incident.”
This paradox occurs in part because midsize companies are under the mistaken impression that hackers prefer to target larger companies. Almost half of midsize organizations surveyed (43 percent) think larger organizations with 501+ employees are most at risk for a security attack. In truth, organizations with less than 500 employees actually suffer from more attacks on average.
The study considered five separate vectors of IT security: 1) the endpoint protection vector, (the most basic form of protection) with 96 percent of the companies having some endpoint protection in place; 2) the email vector (the most common threat vector in this study – it wasn’t the most expensive, but was the most commonly impacted; 3) the Web vector, with threats from website surfing or social media the fastest growing of the vectors); 4) the data vector, protecting information assets in a mobile form, in a laptop or USB drive or downloadable, where the study found companies were not yet stepping up; and 5) the network vector, protecting from the outside (firewall, intrusion protection).
“The study found that while the costs of remediation for each of the five vectors was different, and costs per incident might vary, each of those vectors cost companies about the same money,” Rondebaugh said. “There was no more than 10-15 percent variance.”
The lessons for the midmarket are clear, Rodenbaugh said. Midsize organizations need a balanced approach to security management, against all threat vectors.
“An IT manager can’t assume he can invest in just a couple threat vectors,” Rodenbaugh said.
Companies need to continue to be vigilant, and invest smartly, and in easy-to-manage technologies that allow the best security management with a minimum of time and effort, Rodenbaugh said.
This column was written by Mark Cox of ConnectIT, an IntegratedMarCompany
a>>
