SMBs to Increase Security Spending in 2009

Forrester Research reports small to medium-size businesses are planning to spend a healthy percentage of their 2009 IT budgets on security, with data protection listed as a top priority.

Although many midmarket companies are looking to tighten IT budgets in 2009, one area where spending will increase is security, according to a report from Cambridge, Mass.-based Forrester Research. The report projects SMBs (small to medium-size businesses) will increase IT security spending by a full one percent.

The major areas of IT security spending according to Forrester's survey of 1,206 SMB IT and security managers in North America and Europe are data security (87 percent), with application security close behind (80 percent). However, of the issues SMBs deem "very important," 64 percent selected data security with the next most common being business continuity/disaster recovery at 48 percent.
Eighty-two percent of SMBs describe protecting sensitive corporate data and intellectual property to be a very important or important business objective for IT security, and 82 percent of SMBs say the same for protection of customer data.
Jonathan Penn, author of Forrester's "The State Of Enterprise IT Security: 2008 To 2009" and vice president of tech industry strategy - security, says SMBs' priorities closely follow that of enterprise-level companies. "Data protection is the No. 1 issue, and the availability of data follows that," he says. "They are recognizing that protection of the data is a key part of their business."
Penn says that in this particular economic climate, SMBs are worried about losing customers due to a security breach, rather than concerning themselves with gaining new clients. "The last thing you need is to somehow erode that [customer] trust with a big data breach," he says. Similarly, midmarket companies are also concerned with protecting data on products and price points from competitors.
The strength of the budget numbers was another aspect of the report Penn says he found surprising. In 2009, many SMBs plan to increase IT security budgets to 10.1 percent. Budget allocation for new security initiatives mirrors this trend, going from 14.9 percent in 2008 to 15.9 percent in 2009. Last year, midmarket companies spent 9.4 percent less on security than they did in 2007. "This is a snapshot, and things could change in a few months, but one thing that won't change is that security is getting a bigger piece of the IT budget," he says. "It's going to be that way for at least a couple of years, and I think some of it has to do with awareness."
The survey found the biggest challenge area for SMBs in their data security strategies is in cost and business justification (54 percent). SMBs have adopted more e-mail encryption, network storage encryption and data leak prevention which will see the most growth: Twenty percent of SMBs surveyed said they are committed to piloting or adopting it in the next 12 months.
Penn says that while many SMBs don't have dedicated security people, they understand the importance of security. "If you go to CEOs and talk about some of the hot IT issues like cloud computing or virtualization, they're not going to know what that means to them," he says. "But they do know what a data breach means."
Despite plans for heavy spending on security initiatives like new processes or new technologies like full disc encryption, the switch from reactive data protection, such as threat management, to data protection is emblematic of a realization that not every announced threat can be effectively countered. "They still need to [manage threats], but they're looking at it from an affect standpoint, rather than trying to respond to every vulnerability that is announced," he says. "It's just not feasible to do that, and at the end of the day they're not that well protected and now they have all this technology to manage."
Like enterprises, SMBs are also looking to outsource contracts as a way to streamline IT management and make the most of tight budgets. If a company requires security experitise unrelated to an understanding of the business, then any security company that can protect data offers a potential solution. "Focusing on what's important, the data, is exactly the right way to go," Penn says. "SMBs have been ahead of enterprises in outsourcing, but both are looking for ways to offload some of the tactical expertise."
When it comes to determining which security priorities to invest in, the survey found peers and colleagues (or word of mouth) at the top of the list of influential sources of information for informing purchasing decisions. Of those asked, 35 percent of SMBs said that their peers are very important. Consultants, value- added resellers (VARs), and systems integrators were considered very important by 27 percent of SMBs, while technology or business publications and magazines are also important and hold the attention of 74 percent of SMBs overall.