Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/27/2009
11:34 AM
50%
50%

The High Cost Of Not Spending On Security

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.Money is tight right now. That's not news, but what that means for your business can't be distilled to a sound bite and generalized across an industry demographic. You're making choices to cut business hours, eliminate the jobs of people you hired and have worked with for years (some of them might even be relatives), slash marketing programs, not invest in new equipment, and the list goes on. When those choices are yours, they defy mass statistics. And until this recession starts to wane (and really wane, not just spew conflicting hints about a recovery that create more confusion and fear), these hard choices you must make as a business owner won't get any easier.

After you've trimmed the fat and then cut muscle down to bone, it's tempting to start looking at ways to trim core infrastructure. IT is always a target for cost reduction, but one area where you should be very cautious about cutting spending is security. If you don't increase the number of servers or invest in that CRM tool, it may well crimp your business growth, but in and of itself, it probably won't put you out of business. By contrast, a security breach can kill your business -- and that's even more true right now when margins have moved beyond thin to nonexistent. Do you have the cash reserves to fight a lawsuit over hacked customer data, to have your sales pipeline filched, to butt heads with regulators, or any of myriad other security disasters waiting to happen?

Yet, security still gets the axe. According to a (ICS)2 survey released at the RSA Conference, more than 70% of information security professionals saw their budgets reduced in the last six months. That's sobering, if you figure that many of the 1,500 survey respondents worked in large enterprises, it's reasonable to assume there was some redundancy and excess to be trimmed; small and midsize companies rarely have that luxury in the IT department or elsewhere. But the follow-up question about budgets is also telling: 55% said they expected no further cuts this year. As for the 225 respondents who, we infer, anticipate further budget cuts, they may have more fat to trim or just figure a security breach won't happen to them. However, these results indicate a slight majority have drawn a line in the sand.

When you slash your security budget, you're pinning your hopes on the unrealistic belief that it won't happen to you. Witness another survey of CIOs (the folks charged with seeing the big picture) where the runaway spending priority for the coming year was security. The Robert Half Technology survey found that 43% of CIOs tapped information security as the number one spending priority. The distant second was virtualization at 28%.

Two surveys, one showing security budgets cuts and another indicating security investment. Ah, the conflict., So where do small and midsize businesses fall in this mix?

According to yet another survey, almost half (42%) of SMBs are holding steady on IT spending and a fifth (20%) plan to increase it. The findings of the Compass Intelligence SMB Online Experience research don't break out security spending independently, but it's not unreasonable to infer that if all IT spending holds even or increases, security spending will too.

And just as this mish mash of numbers and surveys isn't clean and neat, neither is securing your business. Spending alone won't save you, but smart spending may. Now's a time to review your security budget, but not with a blunt cutting instrument, but rather to identify ways you maintain or even boost your safeguards without spending big. This Wednesday, we'll be digging into exactly that issue at bMighty's virtual event: bMighty bSecure: SMB Security On A Budget. We've assembled a host of experts, analysts, and small and midsize business people to share their insights and experiences (and take your questions) about issues ranging from security budgeting to the most pressing internal and external security threats to disaster recovery, security appliances, and more -- all with an eye toward pragmatic, achievable outcomes that account for today's budget realities. Check out the full event agenda here.

Unlike many other IT investments, security has an inverted ROI equation -- the result you hope for is that NOTHING will happen. And the only indicator you'll have of whether you've spent enough is a security breach and then it's too late.

bMighty bSecure is a virtual event designed to help your company stay secure in the most cost-effective way possible. bMighty and InformationWeek editors will bring together SMB security consultants, analysts, and other experts, along with real IT execs and users from small and midsize companies to share the secrets of keeping your company secure without breaking the bank.
REGISTER NOW!

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.