Small and medium businesses have, for the most part, frozen spending on security, despite an increase in perceived threats, according to a survey released this week by security firm McAfee.
The report, McAfee's first study of the small- and medium-sized business market, analyzes surveys from approximately 100 companies in each of nine different countries, focusing on firms with 51 to 1,000 employees. The surveys found that three-quarters of firms decided to cut or freeze their spending on information security in 2009, and two-thirds of companies spent less than three hours a week on security.
Yet, the paradox, McAfee argues, is that despite the falling security budgets, a similar fraction of companies -- 71 percent -- believe that a data breach could put them out of business. Nearly two out of ten companies surveyed said they had a security breach in the last year. The average tab to clean up: $41,000.
"These are the companies in which you don't have a lot of dedicated security experts," said Darrell Rodenbaugh, senior vice president of McAfee's global mid-market group. "So they questions are how do we keep the IT managers up to speed and educate them on the cost of not doing the (security) work proactively."
The survey accompanies headlines of small- and mid-sized companies and organizations falling prey to hackers and losing hundreds of thousands of dollars per incident. In total, the FBI estimates that more than $40 million has recently been stolen from such firm, according to the Washington Post. In one example, a Silicon Valley construction firm had $447,000 siphoned from its account in 27 separate transactions in a matter of minutes.
While the report suggests that companies need to spend more time making sure they are secure, it also levels criticism at security firms: They need to make their products simpler, more intelligent, and more secure, said Rodenbaugh.
"The challenge for the security industry is that we have to deliver broad comprehensive protection that is easy to maintain," he said. "I would expect higher levels of productivity out of my security technology provider, and we absoltely strive to get to that point."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos