Small and mid-sized businesses typically spend 5 to 10 percent of their IT budgets on security, according to research by Gartner. That’s a bigger slice of the IT pie than for large enterprises, which typically spend 3 to 6 percent of IT money on security, notes Adam Hils, principal research analyst at Gartner who specializes in small and mid-sized business security. “The smaller companies have overall IT budgets that aren’t as large,” he explains.
Perhaps surprisingly, the biggest spenders on IT are mid-sized businesses, around the 500 to 1,000 employee range. “They want to be able to compete with larger companies,” Hils notes. “And, especially if they’re in finance or healthcare, they need to be able to offer the same types of security guarantees to their customers as big companies do.”
Statistics like these can be helpful for comparing your company to overall IT practices. But figuring out how much of your particular IT budget should go for security requires taking many factors into account, such as your industry, how dependent your company is on technology, and the possible consequences of a security breach.
In addition to considering these factors, here are some steps that can help you ensure your IT security spending is on track:
1. Aim for compliance. Increasingly, a review of government regulations or other standards that affect your company may help determine what security you need and how much it will cost. The Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA) impose data protection requirements on public companies, health care companies, and those that receive federal funds, respectively.
In addition, a growing number of companies find they must also adhere to the Payment Card Industry (PCI) Data Security Standard as a prerequisite for processing credit card payments or other financial information. “Starting in the middle of last year, we see companies like Visa and MasterCard targeting smaller retailers for compliance,” Hils says.
And maybe that’s not such a bad thing. “Unlike some of the government regulations, PCI is a very useful standard,” notes Johannes Ullrich, chief technology officer at the SANS Institute, a leading provider of information security and training. “It’s very specific, and incorporates a lot of best practices many companies should be following.”
2. Look for a single solution to multiple problems. Security threats take many forms and come from many different sources. Where once guarding against viruses and hackers seemed sufficient, companies are now faced with spyware, Trojans, staggering volumes of spam, and wrongdoers eavesdropping on wireless networks. Rather than addressing each of these individually, more and more small companies are seeking out unified threat management, single boxes which supply a range of security solutions, filtering spyware, keeping out hackers, and fighting off viruses at the same time. “This way, as future needs change, you’re buying new software licenses rather than new hardware,” Hils says. He predicts that by 2010, 90 percent of small and mid-sized business security purchases will be multi-faceted solutions such as these.
3. Expect more security for less cost. As the large security players acquire smaller companies and fold in their offerings to these multiple solutions, overall costs for security are going down, Hils says. Another price-reducing factor is Microsoft Forefront which has entered the security market and provides affordable security options for small companies. Though Microsoft may never dominate corporate security the way it does so many other areas, it’s still forcing competitors to lower their prices, Hils says. “Microsoft is a big factor in getting [small and mid-sized businesses] more bang for the buck.”
4. Get expert help. It’s tough, if not impossible, for a small or mid-sized business to have the in-house expertise needed to stay up to date on security. “Even if you have full-time IT staff, can they focus on security enough to stay in the loop on the latest threats and products?” Ullrich asks. “Before you deploy an antivirus, you should do some tests to seek which one will work best for you. Independent consultant can help with this, and you get the benefit of what they’ve learned working with other companies similar to yours.”
A consultant can also help you understand how adding a new security element will affect your network, he adds. “Whatever you do, don’t just go to Best Buy and grab something off the shelf.”
In general, Hils says, “Companies need to figure out if they simply want adequate security, follow all the best practices, or perhaps be on the cutting edge of security technology.” Hils estimates that about 60 percent of small and mid-sized businesses simply want adequate security. The problem, he says, is that, while most companies believe they’re at least up to that level, “Some are falling below the line.”
How can you tell if your company is among them? “One sign to look for is how much spam you get,” Ullrich says. “The more spam you get, the more penetrable your boundary is. And, since spam often carries viruses, it increases the possibility that your company is already infected.”