Data protection trumps threat pursuit in SMBs' 2009 security spending

By Linda Tucci, Senior News Writer 06 Jan 2009 | SearchCIO-Midmarket.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

More IT security resources Compliance management: Don't let your guard down Identity and access management provides security and more

That more closely mirrors the strategy at large companies, says Forrester's "The State of SMB Security: 2008-2009." For SMBs, which Forrester defines as companies with fewer than 1,000 employees, that means 10.1% of their IT spending will go toward IT security in 2009, compared with 9.1% in 2008.

"What was interesting in this survey was how similar the SMBs were to enterprises, in terms of their issues and objectives and even the pressures they are facing in finding people with the right skills," said Jonathan Penn, vice president, tech industry strategy -- security, at Cambridge, Mass.-based Forrester and author of the report.

You need internal data protection, too One area that isn't on the security radar for many SMBs -- but probably should be -- is access rights and the larger issue of identity management. Data assets must be protected against insiders, too, said Jonathan Penn, author of Forrester Research's security report. "There are people who are authorized users who may inappropriately use information to the detriment of the company, or there are unauthorized users who in previous roles may have needed access to information but no longer do. Those kinds of processes in SMBs tend to be pretty poorly implemented," Penn said. Part of the reason for this security shortcoming is that the technology for automating these processes can be expensive. But the bigger issue for SMBs is the process-intensive nature of keeping up with the rights employees should and shouldn't have. "If it was a matter of just getting a tool to streamline onboarding, they could do that if they saw the cost benefit of that. But SMBs have tended to shy away from how they manage people's rights throughout the lifecycle of employment," Penn said. Coordinating among IT, business departments and human resources to sort out the employee rights and keeping the policies up to date is tough, and not easily outsourced.

Nearly 20% of the respondents plan to pilot or adopt a host intrusion prevention system (HIPS), file-level encryption, full disk/desktop encryption, endpoint control and data leak prevention in the next 12 months. The moves will almost double the use of these security technologies at SMBs.

Indeed, protecting the data assets of the business was the highest priority for both SMBs and enterprise companies, surpassing threats frequently cited in the past, like malware (ranked fifth of 11 security issues) and regulatory compliance (ranked 10th).

The No. 2 concern for both SMBs and enterprises was application security. It is perhaps not surprising that big companies with dedicated security staffs understand that application protection is an important component of managing risk, Penn said. The fact that the multitasking IT staffs at most SMBs not only share this concern but can also communicate it to upper management represents a shift in their approach to managing risk.

"More than half of SMBs said that management does view application security as a significant area of risk," Penn said. That's about the same number as respondents from enterprise-level companies. "That's a fairly sophisticated view."

The findings are based on responses from 1,206 SMB business and IT leaders and 942 enterprise respondents in a pair of surveys done in the third quarter of 2008.

The focus on data protection represents a "pretty healthy approach" to security, in Penn's view. Rather than following hackers' latest bag of tricks, IT executives are taking an asset-based approach, determining a company's most important data stores and building defenses around them

"There is a growing recognition that the focus should be on what the attacks are actually doing to business assets, rather than looking at the kind of attack, per se," Penn said.

Strong adoption of managed security services

When it comes to IT security technologies, the survey showed that -- similar to large enterprises -- SMBs are increasingly going to managed security services to find specialized skills (31%) and to reduce costs (24%). Managed security services include email or Web content filtering, network firewall monitoring and vulnerability assessments. About half the SMBs already employ or plan to procure these technologies through managed services.

"We think of managed security services as something that people turn to just for cost savings," Penn said. "But we are seeing pretty strong adoption of managed security services across both SMBs and enterprises, and a lot of it has to do with the skills shortage. People are unable to find staff with the right skills, or in some cases, don't want people with those skills and find it just as effective to outsource it."

Endpoint security is one area that will see strong growth, according to Forrester, as 14% of SMBs indicated that they plan to adopt or pilot services in this area. That's on top of the 19% currently using such services.

Other findings for the survey include:

• Some 58% of SMBs use personal firewalls; 26% use HIPS and another 19% plan to adopt it in the next year.
• One in five SMBs has a strong plan to pilot or adopt full disk encryption (18%), file-level encryption (18%) and endpoint application/device control (17%).
• One in four SMBs has adopted email encryption (26%), network storage encryption (23%) and data leak prevention (23%) -- more than any other data security technologies.
• In 2009, data leakage protection will see the most growth, with 20% of SMBs committed to piloting or adopting it in the next 12 months.

Security holes at SMBs

For Jerry Hodge, senior director of information services at Hamilton Beach Brands Inc., managing risk is a constant negotiation with the business. The

I don't think that the business yet sees security as a business enabler, but they do see that bad security can be significant business risk. Jonathan Penn vice president, tech industry strategy -- security, Forrester Research Inc.

midmarket company has all the enterprise-sized risks, including contending with the Sarbanes-Oxley and Health Insurance Portability and Accountability acts as well as Payment Card Industry regulations -- with a fraction of the resources.

Hodge said he hopes to free up some money this year to do quarterly security assessments to get a better handle on vulnerability. Hodge also reorganized his infrastructure team and gave it a new name -- the infrastructure, security and compliance group -- to better address his risk strategy. But money is tight. "We are looking to do more with the same dollars," he said.

Indeed, cost and business justification for data security remain a huge challenge for the majority (54%) of SMBs in plotting their security strategy, the survey showed. But Penn said this year's survey results also indicate a growing awareness of security as a business issue.

"I don't think that the business yet sees security as a business enabler, but they do see that bad security can be significant business risk," he said.

Tags: Information security management for the midmarket,  Data privacy for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Data privacy for the midmarket Data storage technology: Know your FAQs and options A guide to managing the risk assessment process Information technology management e-book downloads for midmarket CIOs The price of data center outsourcing: Security, costs and more explored From software prices to EHR security: The latest advice for CIOs Locking down security in the move to electronic medical records Identity and access management planning guide for the midmarket Database security: Who should have access? Federal breach notification stuck in Congress Pre-emptive strategy best approach to breach notification

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary