A majority of the headline-grabbing breaches that take place around the world involve large corporations. However, though less visible, small to midsized businesses (SMBs) are just as likely to be targets. As the threat landscape continually evolves, security professionals at SMBs are up to the challenge, but more often than not may be blindly spending when it comes to security solutions.
That's because while larger corporations can afford the “bells and whistles” available in the security product market, many SMBs may not have the same resources, leaving security practitioners at these organizations to make tough decisions on what can address the prioritized risks. Studies have shown that the money being spent isn't aligning with the risks that are actually being posed to SMBs.
According to “The State of Risk-Based Security Management,” a recent study conducted by the Ponemon Institute and security firm Tripwire, results indicated that only 11 percent of an organization's budget is spent on the application layer, although 37 percent of the 1,320 IT professionals surveyed pointed to it as a “key security risk.”
The fact that there's no universal strategy in the security industry doesn't help SMBs make better spending decisions, John Stewart, SVP and CSO at Cisco, said. Additionally, he believes the number of solutions on the market only makes choosing a security product more challenging. “There are many, many, solutions out there,” he said.
Further, security audits, while effective in prioritizing risks, can be too costly for organizations that don't have the budgets to perform them frequently. However, there are other measures that can be taken. Steve Durbin, global VP of the Information Security Forum, a nonprofit that addresses security and risk management issues, believes it's essential for SMBs to collaborate in order to “informally benchmark” one another in terms of their security practices.
“There is a role here for independent organizations, and to an extent government, to provide insight and guidance around what the fundamentals of good security practice might be,” Durbin said.
A recent study conducted by Kaspersky Lab indicates that a successful attack on an SMB could result in a loss of up to five percent of its total revenue. With that much at stake, it's no wonder spending on IT security is expected to reach $30.1 billion by 2017, according to a study from Canalys.