SMB Security Investment Plans for 2015
2014 has been christened the “Year of the Breach,” but news coverage has focused exclusively on the impact of high-profile hacks and data leaks upon large enterprises. Small and midsize businesses (SMBs), meanwhile, have been neglected.
Software Advice surveyed SMB owners and decision makers to learn how they feel about cyber threats and their security investment plans for the coming year. This report will provide SMBs with insight into how their peers are approaching security issues, while security vendors will learn how the SMB market is showing readiness for growth in the year ahead.
Over the last 12 months, a series of huge data leaks at firms from Target to Home Depot to eBay has led many in the media to christen 2014 the “Year of the Breach.” This isn’t just hype—according to a recent study by the Ponemon Institute, a record 43 percent of U.S. firms report experiencing hacks in 2014; a 10 percent increase from 2013.
In an online survey of 366 security professionals conducted by CSO, almost half of respondents report that their organizations are re-evaluating their information security standards as a direct result of 2014’s attacks. In addition, 37 percent of security executives report a “significant” increase in the amount of time they spend advising business executives and decision makers on security-related matters. In short: Big business is taking security more seriously than before.
But what about small and midsize businesses? According to security firm Symantec, around one-third of cyberattacks target SMBs—which are usually more vulnerable to attacks, as they often lack dedicated IT staff. However, Symantec also found that 77 percent of these SMBs believe they are safe from cyberthreats.
Thus, it seems that many SMB leaders simply don’t perceive their business as a target—or at least, this has historically been the case. After a year of sustained, high-profile reporting on data breaches, we wanted to know if these opinions had changed. Software Advice surveyed SMB owners and decision makers in the U.S. to find out how heavy media coverage of data leaks has affected their level of concern about cybercrime, and what they plan to do about it.
The Symantec studies may have revealed a certain “devil may care” attitude among SMBs toward cybersecurity matters—but in reality, hacks and data breaches are much more likely to have a devastating effect upon SMBs than they are upon enterprises. This is because SMBs typically lack the resources to cover the costs of a successful cyberattack.
On this note, we first asked respondents how they currently feel about cybercrime, as compared to how they felt at the end of 2013. Does a Zen attitude of relative calm persist, or has anxiety increased?
The results indicate that the apparently breezy self-confidence Symantec found is likely a thing of the past: 65 percent of respondents are now more concerned about the threat cybercrime poses to their business than they were 12 months ago. What’s more, the highest percentage of respondents are “much more concerned.”
By contrast, a mere 7 percent total have experienced a decline in anxiety since 2013. It may seem that these respondents are burying their collective heads in the sand. However, it is possible to interpret these responses in a more generous light: These business owners and decision makers may have greatly improved the state of their defenses since this time last year.
After all, Target has done so—and Gartner reports that worldwide information security spending for 2014 will increase nearly 8 percent over 2013.
With the knowledge that the majority of SMBs are more concerned about cybercrime now than they were a year ago, we next wanted to find out what role news stories on high-profile breaches at firms such as Home Depot and Target played in that increase.
It might seem logical to assume that stories about the “Year of the Breach” have led to an upsurge in anxiety. However, a Software Advice survey from earlier in 2014 found that incessant media coverage has the opposite impact upon consumers—tales of incessant security failures were found to induce indifference and chronic “data breach fatigue.”
As it turns out, the stream of security-breach stories in the media has had a logical impact on SMB decision makers, who stand to suffer much more than consumers:
Indeed, a grand total of 87 percent say that coverage of the 2014 breaches has increased their concern to some extent, with 40 percent of respondents describing the impact of these news stories as “significant.” Strikingly, this total exceeds the 65 percent of respondents who report feeling more concerned now than they did in 2013—as if the mere mention of Target, Home Depot and the like triggers business-owner anxiety.
But while SMBs are growing more concerned about cybercrime, this does not necessarily mean they are willing to invest in the tools to fight it—which brings us to our next question.
Few would claim that spending money on defense technology alone will make a company more secure; after all, Target spent millions on security. However, spending can at least be viewed as a significant indicator of how seriously a business takes the threat of cybercrime. In other words, money talks.
We polled respondents on their willingness to go beyond mere expressions of concern and take the financial leap to boost investment in security.
A combined one-third of respondents say they are planning to increase their security spending either “significantly” or “moderately.” Security vendors thus face a strong opportunity in 2015 to increase their presence (and profits) in a market that has traditionally been somewhat blasé about the necessity of the tools they provide.
Meanwhile, the fact that 41 percent of respondents foresee no change in their spending does not necessarily indicate indifference to cybercrime. Rather, this may reflect the very real budget constraints that many small businesses operate under; they may simply lack the funds to boost spending, even if they have the desire.
As for the 3 percent who plan to decrease spending either “minimally” or “moderately” (none of our respondents say they intend to “significantly decrease” spending, although we provided them that answer choice), it is possible that they, too, are experiencing a budget crunch.
Another possibility is that they have already made major investments in security, and do not anticipate having to spend money at the same level in 2015. Of course, it also could be that they simply don’t care about IT security.
Finally, we asked respondents where they are planning to make investments in 2015. Of course, there is a vast array of security tools offered, and security-related terms tend to be quite amorphous. So we decided to hone in on the type of functionality commonly found in the more comprehensive endpoint protection suites, which are offered by major vendors such as Symantec, McAfe and Kaspersky, among others.
It is not surprising to see such core functionality as firewall (chosen 26 percent of the time), anti-malware (25 percent) and Web security (25 percent) sitting at the top. These are the types of defenses that are required not only by businesses, but by consumers on their home PCs; thus, they are likely to have a high level of “name recognition,” even among non-IT experts. In other words, even if you don’t know exactly what these things do, you probably know that you need them.
Perhaps the most interesting result is that exactly 25 percent of SMBs indicate an interest in data loss prevention (DLP). DLP is not generally viewed as a core protection by most vendors, and does not appear in the basic suites alongside firewall and anti-malware. However, SMB interest in this is logical after so much talk about “data breaches” and “data loss” in the media: DLP tools are designed to prevent unauthorized access to, and transferal of, valuable information.
SMB buyers should note that a DLP solution is unlikely to do much to prevent the type of data loss suffered by Target. But it can mitigate the risk posed by company insiders transferring data to computers outside a network, or that posed by visitors to the network copying information onto removable media, such as a USB stick.
Moving along, it seems dedicated messaging security is less of a priority for respondents in terms of security investment, chosen by just 14 percent. Here, it is possible that SMBs are using cloud-based solutions, such as Gmail, and relying on built-in protections.
Finally, for the 33 percent of responses that indicated no plans to invest in any of these tools, this could just as easily indicate budget worries as indifference.
One of the problems bedeviling SMB decision makers who want to improve cybersecurity is that security vendor websites abound with technical terms, which are intimidating for the non-IT-oriented to understand—and, as previously noted, many smaller businesses lack dedicated IT staff.
However, the good news for SMBs is that many dedicated solutions for their end of the market exist, and these are often designed to require minimal to no IT expertise. Indeed, some solutions can be downloaded from the Web in minutes.
When choosing a solution, owners of smaller businesses need to think about a number of factors. These include, of course, how many computers they want to protect, but also how their employees access resources, what devices they access them from and what kinds of data they need to keep secure.
Security suites for SMBs range from “small office” products—aimed at businesses with up to 15 employees—to larger suites that can cover hundreds of employees. However, small office suites need not be simple affairs. For instance, ESET’s Small Office Security product includes protection for a file server and five Android mobile devices, while Kaspersky’s small office product includes mobile security, encryption, password management and more.
Suites designed for larger SMBs may combine server protection with protection for workstations, and include not only antivirus and mobile device management (MDM) but also data loss prevention tools. For instance, McAfee Endpoint Protection Advanced includes DLP, MDM and content filtering, as well as Web and messaging security.
Another consideration is how much of an impact the security software will have on system resources. Many solutions are touted as having a minimal impact, and some—such as Panda Cloud Office Protection or AVG CloudCare—are Web-based, and thus have a very small footprint on system performance. Also crucial is knowing that not every security product works on every platform: Some are restricted to Windows, for instance.
Business owners do not need to have an advanced degree in information security to understand how to use these products. But for those who feel they do not have the time or expertise to manage the security of their systems, they can outsource the task to a managed security service provider (MSSP). MSSPs are often localized, although some major technology firms also offer these services. For instance, Dell SecureWorks is a major MSSP, while Check Point sells a managed security service targeted directly at SMBs.
The results of our survey demonstrate that SMBs are waking up to the threat cybercriminals pose to their businesses. Business owners now have a wide array of security suites to choose from, and those who take defensive measures—some of which are outlined in this report—stand a much stronger chance of protecting themselves from the potentially devastating effects of a cyberattack.
Meanwhile, our survey also reveals that a significant percentage of SMBs are willing to spend money to protect themselves. 2015 thus represents a major opportunity for security vendors to make inroads into this market. However, given the complexity of security systems, vendors will need to take great care to explain, in layman’s terms, what their products do and why they are necessary.
Those who manage to achieve this not only stand to reap profits, but also to make a vulnerable segment of the economy safer, thus benefiting everybody—except, of course, the cybercriminals.
To find the data in this report, we conducted an online survey of owners and operators of U.S. businesses with 500 employees or less. We asked four questions, and collected between 341 and 385 responses per question. All survey questionnaires undergo an internal peer review process to ensure clarity in wording.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you’d like to further discuss this report or obtain access to any of the charts above, please contact firstname.lastname@example.org.