Canadian small-to-medium-sized businesses (SMBs) lag behind their American counterparts in IT security spending, according to a recent report from Cupertino, Calif.-based Symantec Corp.
The report found 68 per cent of companies were reported to spend less than 10 per cent of the overall IT budget on security. But despite this, data protection and unauthorized access were cited as top concerns among IT managers due to the potential financial and legal ramifications of security breaches and data loss.
Lack of money and staff resources are generally the key inhibitors to SMB investment in IT, said Michael Murphy, vice-president and general manager with Symantec Canada Corp.
“The people in charge of these businesses are so busy actually running the company that, often, IT needs take a backseat.”
The perception that adequate security spending is a “huge cost burden”, added Murphy.
The findings of low IT security spending among Canadian SMBs aren’t all that surprising given the differing approach to business, said Brian O’Higgins, chief technology officer with Ottawa, Ont.-based host intrusion prevention technology vendor Third Brigade Inc.
Specifically, he said, American SMBs are generally more aggressive in business and are more aware of, and pay more attention to, security risks than do their Canadian counterparts.
The average Canadian SMBs “barely have computers” and definitely don’t have in-house IT security expertise, he said, adding that although they might have been in tune with emerging internet security threats several years ago, “now, maybe they’re a little bit too complacent, but that threat is there and much worse.”
There is little difference, said O’Higgins, among large businesses that typically can afford to keep skilled IT security staff and are therefore more proactive around securing their business.
Canadian SMBs may be spending too little on security, but there’s no standard amount that can be dictated, said Murphy. “It’s not a one size fits all proposition. SMBs need to assess their risk and how critical their data is and whether the cost of investing outweighs the risk of losing company information.”
For a small company, said Murphy, losing mission-critical data could mean an end to the business.
There’s no right answer as to security spending because security investment is typically doled out in stages, agreed O’Higgins, but it should suffice, he added, for a company with state-of-the art security technology to allocate between five and 10 per cent of the overall IT budget to maintaining that security.
However, he said, a company with a weak security infrastructure will require an initial over investment – something like two to three times the amount required to maintain an investment – before it can “coast for a couple of years”.
While Canadian SMBs spend too little on security overall, the areas that fall to the wayside are mobile technologies, especially given the influx of mobile devices and the associated security risks, said Murphy.
But besides risking the company’s business-critical data through these open endpoints, the SMB’s partner networks are also exposed, he said. “Dealing with endpoint security issues is increasingly becoming critical for SMBs – and is something relatively new for them to have to deal with.”
O’Higgins said awareness is lacking around technology required to meet regulatory compliance for credit card security standards – an area of particular importance given many SMBs conduct business transactions over the Web.
O’Higgins predicts regulatory compliance technology will be the biggest driver for improving IT security for those SMBs that perform a large number of Web transactions. “It will take some wakeup calls,” he said.
On the flip side, the security area they typically don’t disregard is antivirus software and maintaining firewalls because it’s a topic that’s well-known and discussed, said O’Higgins.
The report also noted that fewer than one in three companies have created positions of chief privacy officer (CPO) and chief security officer (CSO). Again, this is due to a resource constraint issue, said Murphy, where small companies just can’t afford to hire an individual whose sole job is to oversee IT security requirements.
But the absence of these roles is also due to not realizing the importance of these positions, and to the fact that SMBs are least likely than enterprises to require such roles to begin with, thinks O’Higgins. “It’s just a matter of scale.”
Most small companies, he said, don’t even have IT professionals – let alone a CPO and CSO – relying instead on the office administrator to tackle technology issues. “If they have a person dedicated to IT, that’s at least a starting point in trying to address security.”