New Survey: IT Security Spending is Up, Security is Not, and Ransomware’s the Biggest Worry

Executive Summary

The second annual Cyren-Osterman Research U.S. security survey shows a significant disconnect between rising IT security spending and a low level of confidence in current protection, among many topics covered in the 24-page report, “IT Security at SMBs: 2017 Benchmarking Survey.”

Security Budgets Up Sharply

On average, survey respondents reported that IT security budgets grew a robust 17 percent during the past 12 months. That’s on top of a 21 percent increase reported one year ago in the inaugural Cyren-Osterman Research survey. However, 68 percent of businesses reported one or more breaches or infections during the prior 12 months, and significantly less than half believe they are well prepared to meet priority threats like ransomware, phishing and zero-day exploits.

The survey focuses on the current web and email security status and priorities of IT and security managers at organizations with 100 to 3,000 employees. The survey results allow security personnel to benchmark their own security posture and planning against their peers.

Key Takeaways

Details of the “IT Security at SMBs: 2017 Benchmarking Survey” questions and responses follow; summarized here are some of the key takeaways from this year’s research:

Security breaches are prevalent. Slightly more than two-thirds of the organizations surveyed – 68 percent – reported that they had experienced one or more breaches or infections during the past 12 months, with 29 percent reporting a successful phishing attack and 18 percent a ransomware infection that had gotten past their security defenses.

Ransomware is the #1 concern. Ransomware surged from fourth place in the 2016 Cyren-Osterman Research survey to the top of the heap of issues about which IT and security managers are concerned or extremely concerned (62 percent), slightly edging phishing (61 percent), and data breaches (54 percent).

Security concerns rule, controlling employees doesn’t. While threat categories are the top concerns among U.S. SMB security decision makers, only 24 percent expressed concern about shadow IT, with even fewer giving importance to controlling employee web behavior.

Security effectiveness trumps cost – and everything else. Security effectiveness (85 percent) and speed of defense against new threats (74 percent) markedly outdistanced all other capabilities that were rated (reporting, user experience, management ease, etc.). Cost considerations were among the lowest-rated factors in evaluating a security solution.

Stopping threats in HTTPS is a priority. Fifty-nine percent rated as highly or extremely important the ability to perform SSL traffic inspection for threats, ranking it fourth among desired features in a web security solution. Fifty-five percent indicated they have deployed an SSL inspection capability, which contrasts with a far lower deployment rate of 19 percent found in a similar survey in the UK in February 2017.

Few think highly of their current protection. Most SMB decision makers believe that the security deployed for their organizations is not doing well, with the largest “security gaps” around the threats of greatest concern. For example, while 61 percent rate phishing a top concern, only 39 percent rate their protection highly.

IT security investment is exploding at SMBs. Presumably driven by the poor opinion of current security, and the reality and risk of recurring infections and breaches, SMB IT security budgets jumped significantly for the second year in a row, rising 17 percent on average in the past year, following a 23 percent increase reported in the 2016 Cyren-Osterman Research survey.

SMBs have limited IT security staff. Respondents indicated that they generally have a low number of dedicated IT security staff members available to deal with security issues. We found that over half (52 percent) of the organizations surveyed have two or fewer security staff members, with the figure rising to 80 percent for the smallest cohort, with 100-500 employees.

Mobile device security is lagging behind. While 70 percent protect remote offices and roaming laptop use, only half protect company-owned mobile devices, dropping to one-fifth providing protection of BYOD mobile devices, even if they connect to the corporate network.

Preference growing and nearly equal for cloud-based SaaS vs. on-premises. The preference in terms of deployment model for security solutions is now nearly equally divided, with 32 percent preferring on-premises solutions, and 29 percent preferring cloud-based SaaS – with the latter up sharply from 21 percent in the 2016 Cyren-Osterman Research survey.

Email security is now predominantly done in the cloud. Fifty-seven percent of SMBs rely on SaaS security for their email, considering together those who subscribe to a SaaS Secure Email Gateway (28 percent) and those who rely on the security provided by their SaaS or hosted email service provider (29 percent).

Cloud-based web security is moving up the adoption curve. Eighteen percent of SMBs reported that they subscribe to SaaS web security, with another 16 percent reporting deployment of “hybrid” cloud and on-premises solutions, and six percent relying on a hosted virtual appliance.

Security breaches cost significant staff time (and money). After a security breach, organizations reported an average of 152 person-hours in IT staff time devoted to addressing the problem.

Download the full report here. This blog originally appeared on KnowBe4.