Forrester: SMB security spending to increase in 2009

By Linda Tucci | Jan 9, 2009

IT executives at small and medium-sized businesses (SMBs) will spend a full percentage point more of their IT budgets on security in 2009 than 2008, according to a new study from Forrester Research. The change will result from a shift in security strategy from computer security threat defense to corporate data protection.

That more closely mirrors the strategy at large companies, says Forrester's The State of SMB Security: 2008-2009. For SMBs, which Forrester defines as companies with fewer than 1,000 employees, that means 10.1% of their IT spending will go toward IT security in 2009, compared with 9.1% in 2008.

"What was interesting in this survey was how similar the SMBs were to enterprises, in terms of their issues and objectives and even the pressures they are facing in finding people with the right skills," said Jonathan Penn, vice president, tech industry strategy -- security, at Cambridge, Mass.-based Forrester and author of the report.

Nearly 20% of the respondents plan to pilot or adopt a host intrusion prevention system (HIPS), file-level encryption, full disk/desktop encryption, endpoint control and data leak prevention in the next 12 months. The moves will almost double the use of these security technologies at SMBs.

Indeed, protecting the data assets of the business was the highest priority for both SMBs and enterprise companies, surpassing threats frequently cited in the past, like malware (ranked 5th of 11 security issues) and regulatory compliance (ranked 10th).

The No. 2 concern for both SMBs and enterprises was application security. It is perhaps not surprising that big companies with dedicated security staffs understand that application protection is an important component of managing risk, Penn said. The fact that the multitasking IT staffs at most SMBs not only share this concern but can also communicate it to upper management represents a shift in their approach to managing risk.

"More than half of SMBs said that management does view application security as a significant area of risk," Penn said. That's about the same number as respondents from enterprise-level companies. "That's a fairly sophisticated view."

The findings are based on responses from 1,206 SMB business and IT leaders and 942 enterprise respondents in a pair of surveys done in the third quarter of 2008.

The focus on data protection represents a "pretty healthy approach" to security, in Penn's view. Rather than following hackers' latest bag of tricks, IT executives are taking an asset-based approach, determining a company's most important data stores and building defenses around them.

"There is a growing recognition that the focus should be on what the attacks are actually doing to business assets, rather than looking at the kind of attack, per se," Penn said.

Strong adoption of managed security services

When it comes to IT security technologies, the survey showed that -- similar to large enterprises -- SMBs are increasingly going to managed security services [8] to find specialized skills (31%) and to reduce costs (24%). Managed security services include email or Web content filtering, network firewall monitoring and vulnerability assessments. About half the SMBs already employ or plan to procure these technologies through managed services.

"We think of managed security services as something that people turn to just for cost savings," Penn said. "But we are seeing pretty strong adoption of managed security services across both SMBs and enterprises, and a lot of it has to do with the skills shortage. People are unable to find staff with the right skills, or in some cases, don't want people with those skills and find it just as effective to outsource it."

Endpoint security is one area that will see strong growth, according to Forrester, as 14% of SMBs indicated that they plan to adopt or pilot services in this area. That's on top of the 19% currently using such services.

Other findings from the survey include:

• Some 58% of SMBs use personal firewalls; 26% use HIPS and another 19% plan to adopt it in the next year
• One in five SMBs has a strong plan to pilot or adopt full disk encryption (18%), file-level encryption (18%) and endpoint application/device control (17%)
• One in four SMBs has adopted email encryption (26%), network storage encryption (23%) and data leak prevention (23%) -- more than any other data security technologies
• In 2009, data leakage protection will see the most growth, with 20% of SMBs committed to piloting or adopting it in the next 12 months

Security holes at SMBs

For Jerry Hodge, senior director of information services at Hamilton Beach Brands Inc., managing risk is a constant negotiation with the business. The midmarket company has all the enterprise-sized risks, including contending with the Sarbanes-Oxley and Health Insurance Portability and Accountability acts as well as Payment Card Industry regulations -- with a fraction of the resources.

Hodge said he hopes to free up some money this year to do quarterly security assessments to get a better handle on vulnerability. Hodge also reorganized his infrastructure team and gave it a new name -- the infrastructure, security and compliance group -- to better address his risk strategy. But money is tight. "We are looking to do more with the same dollars," he said.

Indeed, cost and business justification for data security remain a huge challenge for the majority (54%) of SMBs in plotting their security strategy, the survey showed. But Penn said this year's survey results also indicate a growing awareness of security as a business issue.

"I don't think that the business yet sees security as a business enabler, but they do see that bad security can be significant business risk," he said.
 

You need internal data protection, too
One area that isn't on the security radar for many SMBs -- but probably should be -- is access rights and the larger issue of identity management. Data assets must be protected against insiders, too, said Jonathan Penn, author of Forrester Research's security report.

"There are people who are authorized users who may inappropriately use information to the detriment of the company, or there are unauthorized users who in previous roles may have needed access to information but no longer do. Those kinds of processes in SMBs tend to be pretty poorly implemented," Penn said.

Part of the reason for this security shortcoming is that the technology for automating these processes can be expensive. But the bigger issue for SMBs is the process-intensive nature of keeping up with the rights employees should and shouldn't have.

"If it was a matter of just getting a tool to streamline onboarding [7], they could do that if they saw the cost benefit of that. But SMBs have tended to shy away from how they manage people's rights throughout the lifecycle of employment," Penn said. Coordinating among IT, business departments and human resources to sort out the employee rights and keeping the policies up to date is tough, and not easily outsourced.