Midsize businesses are slashing their security budgets even as cyber-threats continue to grow, according to a report from McAfee.
In a survey of 900 employees of midsize businesses around the globe conducted by MSI International, 75 percent of the respondents reported cutting or freezing their IT security budgets in 2009. At the same time, 56 percent of the respondents reported seeing more security incidents this year than last, and 29 percent admitted to suffering a data breach in the past year.
"More than 90 percent of people surveyed in companies with 500 employees or fewer feel protected from cyber-attacks, even though the evidence is hardly on their side," said the McAfee report, entitled "The Security Paradox." "The truth is that companies with fewer than 500 employees suffer more attacks on average than their larger counterparts. Of the midsize organizations that have had security breaches, those with 101 to 500 people have had roughly 24 incidents in the past three years, compared to only 15 incidents for organizations with 501 to 1,000 employees."
The authors continued, "Our research shows that in the past year midsize organizations in the United States have spent a total of $17.2 billion fixing IT security incidents. On average, in 2008 a single midsize organization in the United States spent more than $75,000 a year on IT security incidents."
About 60 percent of the U.S. respondents said it had taken their businesses more than a day to recover from their most recent cyber-attack. That number stood at 86 percent in China and 70 percent in India. Overall, McAfee found that 65 percent of surveyed midsize organizations worldwide spend less than 4 hours a week on proactive IT security.
"An organization's level of worry and awareness about increasing threats has not overcome the downward pressure on budgets and resources," Darrell Rodenbaugh, senior vice president of global midmarket for McAfee, said in a statement Oct. 28. "But this creates a vicious cycle of breach and repair that costs far more than prevention. Our research shows that organizations that put more effort on preventing attacks can end up spending less than a third as much as those that allow themselves to be at risk."