Midsize companies reported an increase in cyber-threats this past year, but are still freezing their IT security budgets, according to a report released by McAfee on Oct. 13.
According to "The Security Paradox" study, more than half of surveyed midsize companies have seen more security incidents in the past year, from mid-2009 to mid-2010. Of those who'd been hacked, 16 percent reported it took them more than a week to recover from the damage.
About one-third of the organizations were attacked repeatedly, and more than half of those incidents were serious enough to take up to five hours to investigate and fix, the survey said.
"Keeping up with security threats is a significant distraction from running a midsize business," said Alex Thurber, senior vice president of worldwide channel operations for McAfee, in a statement.
In the United States, the average number of cyber-attacks against midsize organizations more than quadrupled from mid-2008 to mid-2009, McAfee said.
Going to the cloud may not remove the security risk, according to the study. A number of respondents, mainly in Europe, Middle East and Africa, saw up to 10 cloud computing incidents in the past year, and "we would expect to see a growth in incidents in this area," the researchers wrote.
Threats are up and growing in severity, but IT security budgets are way down. This is a problem, as more than half, or 58 percent, of organizations spent less than three hours per week working on, evaluating and researching IT security options, according to the survey results. It's better than last year's 65 percent, but it's still a distressing number considering the escalation.
"While the threats have grown, these companies' resources to fight them have declined, creating a paradox," Thurber said.
Taking full advantage of this paradox are cyber-criminals and disgruntled employees, who attack networks and systems, and steal sensitive information, McAfee said.
Worldwide, three-quarters of the companies reported either flat or declining security spending, said Darrell Rodenbaugh, senior vice president of global midmarket for McAfee. The country-breakdowns showed similar patterns in the United States and Canada, with only a quarter of the organizations reporting increased security spending, according to Rodenbaugh.
Over half of the surveyed organizations also admitted to knowing less than three-quarters of the regulatory and compliance requirements pertinent to their organization or industry, said McAfee.
One possible reason for the paradox may be because IT managers still think hackers prefer to target larger enterprises. Last year, nearly half of the respondents said companies with more than 500 employees are the most vulnerable. This year's report indicates managers are beginning to revisit that assumption, with only 21 percent thinking so.
One in five surveyed organizations had a security incident that directly affected revenue. On average, companies lost $41,000. The number jumped dramatically in China, with more than one-third of the companies reporting an average loss of $85,000.
According to the survey, the most common result of a security attack was data loss, usually private information of customers, employees and partners. Nearly half of all reported intellectual property losses were from companies based in Europe, Middle East and Africa.
About 75 percent said a serious data breach could put them out of business, according to the survey. About, 40 percent of the organizations reported a data breach, a 13 percent increase from last year.
More than 83 percent of the respondents said they were concerned or very concerned about being the target of an "intentional and malicious" attack. In contrast, 88 percent worried about "non-malicious or inadvertent" security incidents.
Non-malicious or inadvertent incidents include accidentally losing a laptop with sensitive corporate data or sending an e-mail attachment to the wrong person, according to the survey methodology. The most prevalent malicious attack was malware, followed by Website threats, including phishing, hacking and software exploits.
The report, in its third year, examined midsize companies' attitudes toward security and compares them with current security trends. More than 1,100 IT managers were surveyed across companies with between 51 to 1,000 employees. The worldwide survey included companies in Australia, Brazil, Canada, China, France, Germany, India, Japan, Mexico, Netherlands, Spain, the United Kingdom, and the United States.