There are two recent surveys that report on a variety of matters but essentially demonstrate how ineffective business resources have been at providing a secure environment.
On average, survey respondents reported that IT security budgets grew a robust 17 percent during the past 12 months. That is on top of a 21 percent increase reported one year ago in the initial Cyren-Osterman Research survey. However, 68 percent of businesses reported one or more breaches or infections during the prior 12 months, and significantly less than half believe they are well prepared to meet priority threats like ransomware, phishing and zero-day exploits.
The surveys focused on the current web and email security status and priorities of IT and security managers at organizations with 100 to 3,000 employees. The survey results allow security personnel to benchmark their own security posture and planning against their peers.
A summary of some of the “IT Security at SMBs: 2017 Benchmarking Survey” questions and responses are provided below along with key takeaways from this year’s research:
Security breaches are prevalent. Slightly more than two-thirds of the organizations surveyed – 68 percent – reported that they had experienced one or more breaches or infections during the past 12 months, with 29 percent reporting a successful phishing attack and 18 percent a ransomware infection that had gotten past their security defenses.
Ransomware is the #1 concern. Ransomware surged from fourth place in the 2016 Cyren-Osterman Research survey to the top of the heap of issues about which IT and security managers are concerned or extremely concerned (62 percent), slightly edging phishing (61 percent) and data breaches (54 percent).
Security concerns rule, controlling employees doesn’t. While threat categories are the top concerns among U.S. SMB security decision makers, only 24 percent expressed concern about shadow IT, with even fewer giving importance to controlling employee web behavior.
Security effectiveness trumps cost – and everything else. Security effectiveness (85 percent) and speed of defense against new threats (74 percent) markedly outdistanced all other capabilities that were rated (reporting, user experience, management ease, etc.). Cost considerations were among the lowest-rated factors in evaluating a security solution.
Stopping threats in HTTPS is a priority. Fifty-nine percent rated as highly or extremely important the ability to perform SSL traffic inspection for threats, ranking it fourth among desired features in a web security solution. Fifty-five percent indicated they have deployed an SSL inspection capability, which contrasts with a far lower deployment rate of 19 percent found in a similar survey in the UK in February 2017.
Few think highly of their current protection. Most IT decision- makers believe that the security deployed for their organizations is not doing well, with the largest “security gaps” around the threats of greatest concern. For example, while 61 percent rate phishing a top concern, only 39 percent rate their protection highly.
IT departments have limited IT security staff. Respondents indicated that they generally have a low number of dedicated IT security staff members available to deal with security issues. We found that over half (52 percent) of the organizations surveyed have two or fewer security staff members, with the figure rising to 80 percent for the smallest cohort, with 100-500 employees.
Mobile device security is still lagging. While 70 percent protect remote offices and roaming laptop use, only half protect company- owned mobile devices, dropping to one-fifth providing protection of BYOD mobile devices, even if they connect to the corporate network.
Cloud-based web security is moving up the adoption curve. Eighteen percent of SMBs reported that they subscribe to SaaS web security, with another 16 percent reporting deployment of “hybrid” cloud and on-premises solutions, and 6 percent relying on a hosted virtual appliance.