Midsize organizations are slashing or freezing their security budgets at the same time that they are seeing an increase in cyber-attacks this past year, said a study.
Midsize companies reported an increase in cyber-threats this past
year, but are still freezing their IT security budgets, according to a
report released by McAfee on Oct. 13.
According to "The Security Paradox
study, more than half of surveyed midsize companies have seen more
security incidents in the past year, from mid-2009 to mid-2010. Of
those who'd been hacked, 16 percent reported it took them more than a
week to recover from the damage.
About one-third of the organizations were attacked repeatedly, and
more than half of those incidents were serious enough to take up to
hours to investigate and fix, the survey said.
"Keeping up with security threats is a significant distraction from
running a midsize business," said Alex Thurber, senior vice president
of worldwide channel operations for McAfee, in a statement.
In the United States, the average number of cyber-attacks against midsize organizations more than quadrupled from mid-2008 to mid-2009
, McAfee said.
Going to the cloud may not remove the security risk, according to
the study. A number of respondents, mainly in Europe, Middle East and
Africa, saw up to 10 cloud computing incidents in the past year, and
"we would expect to see a growth in incidents in this area," the
Threats are up and growing in severity, but IT security budgets
are way down. This is a problem, as more than half, or 58 percent, of
organizations spent less than three hours per week working on,
evaluating and researching IT security options, according to the
survey results. It's better than last year's 65 percent, but it's still
a distressing number considering the escalation.
"While the threats have grown, these companies' resources to fight them have declined, creating a paradox," Thurber said.
Taking full advantage of this paradox are cyber-criminals and
disgruntled employees, who attack networks and systems, and steal
sensitive information, McAfee said.
Worldwide, three-quarters of the companies reported either flat or
declining security spending, said Darrell Rodenbaugh, senior vice
president of global midmarket for McAfee. The country-breakdowns showed
similar patterns in the United States and Canada, with only a quarter of the
organizations reporting increased security spending, according to
Over half of the surveyed organizations also admitted to knowing
less than three-quarters of the regulatory and compliance requirements
pertinent to their organization or industry, said McAfee.
One possible reason for the paradox may be because IT managers still
think hackers prefer to target larger enterprises. Last year, nearly
half of the respondents said companies with more than 500 employees are
the most vulnerable. This year's report indicates managers are
beginning to revisit that assumption, with only 21 percent thinking so.
One in five surveyed organizations had a security incident that
directly affected revenue. On average, companies lost $41,000. The
number jumped dramatically in China, with more than one-third of the companies
reporting an average loss of $85,000.
According to the survey, the most common result of a security attack was data loss, usually private information of customers, employees and partners
. Nearly half of all reported intellectual property losses were from companies based in Europe, Middle East and Africa.
About 75 percent said a serious data breach could put them out of
business, according to the survey. About, 40 percent of the
organizations reported a data breach
, a 13 percent increase from last year.
More than 83 percent of the respondents said they were concerned or very
concerned about being the target of an "intentional and malicious"
attack. In contrast, 88 percent worried about "non-malicious or
inadvertent" security incidents.
Non-malicious or inadvertent incidents include accidentally losing a
laptop with sensitive corporate data or sending an e-mail attachment to
the wrong person, according to the survey methodology. The most
prevalent malicious attack was malware
, followed by Website threats, including phishing, hacking and software exploits
The report, in its third year, examined midsize companies'
attitudes toward security and compares them with current security
trends. More than 1,100 IT managers were surveyed across companies
with between 51 to 1,000 employees. The worldwide survey included
companies in Australia, Brazil, Canada, China, France, Germany, India,
Japan, Mexico, Netherlands, Spain, the United Kingdom, and the United