The report, carried out by research company Redshift in November last year, and released this week, surveyed those responsible for IT security in 269 SMEs in the UK, and discovered that many don’t acknowledge the ever-growing danger of the internal threat.
Organisations surveyed ranged from general business services, through to retail and property and construction. Redshift found that almost half were experiencing declining sales, while 37% reported declining growth. Forty-four percent planned to cut IT budgets in 2009, while only 19% planned an increase.
With regards to company sales and new business in the last six months, 37% of SMEs had seen a slight fall while 28% seen a significant fall. Only 5% had seen a significant increase.
Some 42% of organisations cited new laptops as an area of major IT investment in 2009. The report commented that it was ‘Hard to see how investment in expensive hardware can deliver any quantifiable competitive advantage during a recession.’
Only 23% of SMEs planned to prioritise security spending in 2009, while 26% responded that spend on security is minimal as it is, so there is no scope for further cuts.
As far as threats are concerned, 48% of SMEs were very or extremely concerned with accidental data corruption, 43% were concerned with virus attacks via email or the internet and 38% were worried about external hacking. Just one fifth of organisations were very or extremely concerned with data theft by staff, despite recent surveys pointing to the fact that this is an escalating risk brought about by recession-led job insecurity. One such survey was a recent Ponemon report that suggested that six out of 10 employees stole data when they left their job last year.
The Redshift survey for GFI indicated that an overwhelming 78% of SMEs surveyed were concerned with external threats as opposed to the remaining 22% who were more concerned with internal threats.
Guy Washer, managing director of Redshift commented that “Where it’s more difficult to imagine an employee walking out with a hard drive, it’s not difficult to imagine someone walking out with a memory stick the size of a pack of chewing gum.”
The survey asked what impact on the changing nature of security the recession might have in 2009. Twenty-seven percent of SMEs believed that there would be an increase in threats, and 45% believed the threats would change, but not increase or reduce, while a quarter believed the recession would have no impact at all.
Regarding policies drawn up to regulate access to the network by portable devices, one quarter of SMEs said they have a written policy which staff are required to sign, 15% maintained that they have a written policy which does not require signing, while 26% have informal guidelines and 34% of SMEs have nothing.
Washer remarked that “Smaller companies are not so good at looking at compliancy policies. Informal guidelines can be flaky.” He added that these results were “Truly, truly depressing.”
Walter Scott, CEO of GFI, commented that “Too much emphasis has historically been placed upon the need for anti-virus and anti-spam applications – external threats – and this has led to the common belief that with these, your network is secure enough. A secure network depends on many other factors and, unfortunately, the internal threat is far too often being ignored.”
He continued: “Endpoint security is absolutely critical even in the best financial times, but with the economy prompting more and more redundancie,; there are more disgruntled employees who pose a potential risk to an organisation’s data.”
Scott also brought up the importance of productivity, especially in light of employees accessing non-work related websites in working hours, stating that “every security investment can be paid for through productivity.”
Explaining why the report centres on SMEs, Scott remarked that SMEs were “easier”, pointing out that that “their needs are multifarious and not dependent on any one market.”
Scott stressed that during a recession, that the market can be especially competitive, and so with the risk of internal threats, it’s vital that SMEs have good security.