In today's world of ever increasing expense pressure, every IT professional wonders just how much they can afford to spend on security. It's difficult to measure exactly what the ROI is for security, particularly when you haven't suffered any type of breach. This makes security a particularly hard investment to justify.
However, what if you could show that recovering from security incidents typically costs more than double the amount you would need to budget to protect against the breach in any given year. Most midsize companies spend less than $20,000 a year on proactive security technology, yet the average annual cost of recovery from a security incident last year was $43,000.
Even with this reality, midsize companies today are cutting back on their security budgets, even though there has been a 71 percent increase globally in cyber attacks against this market.
At McAfee, we call it the midmarket security paradox – threats are up and budgets are down. Midsize company IT directors are worried. In fact, a sizable majority of them believe there is some chance that a serious data breach could put their company out of business.
Our research shows that from 2008 to 2009, midsize organizations in the United Sates spent $17.2 billion fixing IT security incidents. On average, a single midsize organization in the United States spent more than $75,000 a year on IT security incidents. In China the average was $85,000.
In Canada, one third of the companies McAfee surveyed spent an hour or less per week on security prevention. In the United States, a good majority spent more than four hours per week on preventative practices.So is the time investment in proactive maintenance worth it? Consider this: Among those Canadian companies surveyed, those who suffered an attack lost more than a week recovering. Contrast that to companies in the U.S. which might have spent more time up-front, but were able to recover from a similar attack in less than one day.
That means proactive security practices could cut recovery time from a week to a day – that's an 85 percent improvement just for being proactive. Statistics are great, but more importantly, it could be the difference between closing for a few hours or closing for good.
But the impact on your business can be much greater than that. Think about what would happen to your company's reputation if your attack is made public – this can translate directly into lost revenue. The cost of losing client confidence or damaging a brand is significant, too. Add to that any critical business projects that are compromised, lost, or on hold, and a company could easily lose its market position.
Let's face it: Security is complicated. It can be overwhelming. Threats are growing at a staggering rate. IT directors have a hard time keeping on top of the threat landscape – and cybercriminals know it. Attacks are greater for companies with fewer than 500 employees. For a hacker, the midmarket is the low hanging fruit.But you don't have to become a security expert or break your budget to be protected. Do it properly and you will even save money in the long run. If you are willing to invest a little time and budget up front, you can easily keep on top of the security landscape with only 15 minutes a day. It can keep your business protected, and ensure that you are able to secure the internet connectivity that your business needs to be productive in today's world.
Alex Thurber is SVP, worldwide channel operations and responsible for McAfee's global midmarket business.