Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/27/2009
11:34 AM
50%
50%

The High Cost Of Not Spending On Security

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.

Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.Money is tight right now. That's not news, but what that means for your business can't be distilled to a sound bite and generalized across an industry demographic. You're making choices to cut business hours, eliminate the jobs of people you hired and have worked with for years (some of them might even be relatives), slash marketing programs, not invest in new equipment, and the list goes on. When those choices are yours, they defy mass statistics. And until this recession starts to wane (and really wane, not just spew conflicting hints about a recovery that create more confusion and fear), these hard choices you must make as a business owner won't get any easier.

After you've trimmed the fat and then cut muscle down to bone, it's tempting to start looking at ways to trim core infrastructure. IT is always a target for cost reduction, but one area where you should be very cautious about cutting spending is security. If you don't increase the number of servers or invest in that CRM tool, it may well crimp your business growth, but in and of itself, it probably won't put you out of business. By contrast, a security breach can kill your business -- and that's even more true right now when margins have moved beyond thin to nonexistent. Do you have the cash reserves to fight a lawsuit over hacked customer data, to have your sales pipeline filched, to butt heads with regulators, or any of myriad other security disasters waiting to happen?

Yet, security still gets the axe. According to a (ICS)2 survey released at the RSA Conference, more than 70% of information security professionals saw their budgets reduced in the last six months. That's sobering, if you figure that many of the 1,500 survey respondents worked in large enterprises, it's reasonable to assume there was some redundancy and excess to be trimmed; small and midsize companies rarely have that luxury in the IT department or elsewhere. But the follow-up question about budgets is also telling: 55% said they expected no further cuts this year. As for the 225 respondents who, we infer, anticipate further budget cuts, they may have more fat to trim or just figure a security breach won't happen to them. However, these results indicate a slight majority have drawn a line in the sand.

When you slash your security budget, you're pinning your hopes on the unrealistic belief that it won't happen to you. Witness another survey of CIOs (the folks charged with seeing the big picture) where the runaway spending priority for the coming year was security. The Robert Half Technology survey found that 43% of CIOs tapped information security as the number one spending priority. The distant second was virtualization at 28%.

Two surveys, one showing security budgets cuts and another indicating security investment. Ah, the conflict., So where do small and midsize businesses fall in this mix?

According to yet another survey, almost half (42%) of SMBs are holding steady on IT spending and a fifth (20%) plan to increase it. The findings of the Compass Intelligence SMB Online Experience research don't break out security spending independently, but it's not unreasonable to infer that if all IT spending holds even or increases, security spending will too.

And just as this mish mash of numbers and surveys isn't clean and neat, neither is securing your business. Spending alone won't save you, but smart spending may. Now's a time to review your security budget, but not with a blunt cutting instrument, but rather to identify ways you maintain or even boost your safeguards without spending big. This Wednesday, we'll be digging into exactly that issue at bMighty's virtual event: bMighty bSecure: SMB Security On A Budget. We've assembled a host of experts, analysts, and small and midsize business people to share their insights and experiences (and take your questions) about issues ranging from security budgeting to the most pressing internal and external security threats to disaster recovery, security appliances, and more -- all with an eye toward pragmatic, achievable outcomes that account for today's budget realities. Check out the full event agenda here.

Unlike many other IT investments, security has an inverted ROI equation -- the result you hope for is that NOTHING will happen. And the only indicator you'll have of whether you've spent enough is a security breach and then it's too late.

bMighty bSecure is a virtual event designed to help your company stay secure in the most cost-effective way possible. bMighty and InformationWeek editors will bring together SMB security consultants, analysts, and other experts, along with real IT execs and users from small and midsize companies to share the secrets of keeping your company secure without breaking the bank.
REGISTER NOW!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35196
PUBLISHED: 2021-06-21
** DISPUTED ** Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended fo...
CVE-2010-1433
PUBLISHED: 2021-06-21
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauth...
CVE-2010-1434
PUBLISHED: 2021-06-21
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulne...
CVE-2010-1435
PUBLISHED: 2021-06-21
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5...
CVE-2010-0413
PUBLISHED: 2021-06-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.