it security at smbs - 2017 benchmarking survey · in order to participate in the survey,...

sponsored byOsterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 206 683 5683 • [email protected]

www.ostermanresearch.com • @mosterman

An Osterman Research Survey Report

Published September 2017

Sponsored bysponsored by

IT Security at SMBs: 2017 Benchmarking Survey

SPON

SU

RV

EY

RE

PO

RT

S

PO

N

©2017 Osterman Research, Inc.


CONTENTS 1. Executive Summary .............................................................................. 1

Key Takeaways ........................................................................................... 1

About the Survey and Respondent Demographics .......................................... 3

2. Survey Findings .................................................................................... 4

Ransomware and Phishing are the Leading Concerns ..................................... 4

Organizations are Suffering Infections and Breaches ...................................... 5

Current Web Security Considered Inadequate ................................................ 6

Security Gaps Reinforce Demand For New Approaches ................................... 7

Effectiveness of Security is The Most Important ............................................. 8

Web Security is Focused Heavily on The Endpoint .......................................... 9

SSL Inspection Now Fourth-Most Desired Feature for Web Security ............... 10

URL Filtering is the Most Deployed Web Security Function ............................ 11

Web Security is Used to Protect Remote Locations and Users ....................... 12

Endpoint Protection is Widely Used to Protect Remote Offices ....................... 13

Endpoint Protection and VPNs Protect Roaming And Remote Users............... 14

Cloud Email Platforms Now Split Market With On-Premises ........................... 15

Email Security Has Already Moved to the Cloud ............................................ 16

Email Security is Focused On The Basics ..................................................... 17

Only 20 Percent Have Deployed Advanced Email Security ............................. 18

Deployment Gap: What They Want vs. What They Have .............................. 19

Market Now Split on Best-Of-Breed vs. Integration ...................................... 20

Cloud-Based Security Preference Up From 2016 ........................................... 21

Security Staffing is Constrained .................................................................. 22

Security Investment Jumped For The Second Year in a Row ......................... 23

©2017 Osterman Research, Inc. 1


EXECUTIVE SUMMARY This report presents the results of an in-depth primary market research survey of cyber security decision-makers in small to mid-sized businesses (SMBs) in the United States, conducted during August and September 2017. The goal of this research effort was to understand how SMBs, defined as organizations with 100 to 3,000 employees, undertake decision-making in the context of email and web security, what their priorities and preferences are when evaluating security solutions, how they have deployed their solutions today, how those solutions have been performing, and how IT security budgets have been evolving. This report also refers to responses from another Osterman Research survey conducted in 2016, comparing and contrasting the results, where appropriate.

Two key themes emerge from the data. First is that SMBs have significantly increased security spending over the past two years, but continue to suffer serious security incidents, and as a group do not rate their current protection highly. Consistent with that, we found that security effectiveness far outstrips other wished-for traits in evaluating new security solutions, including cost considerations.

The other key theme relates to preferences in architecture and deployment strategy. The survey data shows the preference for cloud-based SaaS security is trending upwards, relative to traditional on-premises appliances, along with a growing preference for integrated security product suites, as opposed to the practice of acquiring best-of-breed point products.

KEY TAKEAWAYS Details of the survey questions and responses follow; summarized here are some of the key takeaways from this year’s research:

• Security breaches are prevalentSlightly more than two-thirds of the organizations surveyed – 68 percent – reported that theyhad experienced one or more breaches or infections during the past 12 months, with 29 percentreporting a successful phishing attack and 18 percent a ransomware infection that had gottenpast their security defenses.

• Ransomware is the #1 concernRansomware surged from fourth place in the 2016 Cyren-Osterman Research survey to the topof the heap of issues about which IT and security managers are concerned or extremelyconcerned (62 percent), slightly edging phishing (61 percent), and data breaches (54 percent).

• Security concerns rule, controlling employees doesn’tWhile threat categories are the top concerns among U.S. SMB security decision makers, only 24percent expressed concern about shadow IT, with even fewer giving importance to controllingemployee web behavior.

• Security effectiveness trumps cost – and everything elseSecurity effectiveness (85 percent) and speed of defense against new threats (74 percent)markedly outdistanced all other capabilities that were rated (reporting, user experience,management ease, etc.). Cost considerations were among the lowest-rated factors in evaluatinga security solution.

• Stopping threats in HTTPS is a priorityFifty-nine percent rated as highly or extremely important the ability to perform SSL trafficinspection for threats, ranking it fourth among desired features in a web security solution. Fifty-five percent indicated they have deployed an SSL inspection capability, which contrasts with a farlower deployment rate of 19 percent found in a similar survey in the UK in February 2017.

• Few think highly of their current protectionMost SMB decision makers believe that the security deployed for their organizations is not doingwell, with the largest “security gaps” around the threats of greatest concern. For example, while61 percent rate phishing a top concern, only 39 percent rate their protection highly.

• IT security investment is exploding at SMBsPresumably driven by the poor opinion of current security, and the reality and risk of recurringinfections and breaches, SMB IT security budgets jumped significantly for the second year in a


IT Security at SMBs: 2017 Benchmarking Survey row, rising 17 percent on average in the past year, following a 23 percent increase reported in

the 2016 Cyren-Osterman Research survey.

• SMBs have limited IT security staffRespondents indicated that they generally have a low number of dedicated IT security staffmembers available to deal with security issues. We found that over half (52 percent) of theorganizations surveyed have two or fewer security staff members, with the figure rising to 80percent for the smallest cohort, with 100-500 employees.

• Mobile device security is lagging behindWhile 70 percent protect remote offices and roaming laptop use, only half protect company-owned mobile devices, dropping to one-fifth providing protection of BYOD mobile devices, evenif they connect to the corporate network.

• Preference growing and nearly equal for cloud-based SaaS vs. on-premisesThe preference in terms of deployment model for security solutions is now nearly equallydivided, with 32 percent preferring on-premises solutions, and 29 percent preferring cloud-basedSaaS – with the latter up sharply from 21 percent in the 2016 Cyren-Osterman Research survey.

• Email security is now predominantly done in the cloudFifty-seven percent of SMBs rely on SaaS security for their email, considering together those whosubscribe to a SaaS Secure Email Gateway (28 percent) and those who rely on the securityprovided by their SaaS or hosted email service provider (29 percent).

• Cloud-based web security is moving up the adoption curveEighteen percent of SMBs reported that they subscribe to SaaS web security, with another 16percent reporting deployment of “hybrid” cloud and on-premises solutions, and six percentrelying on a hosted virtual appliance.

• Security breaches cost significant staff time (and money)After a security breach, organizations reported an average of 152 person-hours in IT staff timedevoted to addressing the problem.


IT Security at SMBs: 2017 Benchmarking Survey ABOUT THE SURVEY AND RESPONDENT DEMOGRAPHICS

The survey was conducted during August and September 2017 with 109 business IT and security managers. The survey was designed to include a wide range of industries for a balanced perspective on security-related decision-making in the SMB space, reflected in the industry distribution shown in Figure 1.

Figure 1 Primary Industries Served by the Survey Respondents’ Organizations

Source: Osterman Research, Inc.

In order to participate in the survey, individuals had to a) be knowledgeable about computer/cyber security issues and security-related decision-making in their organizations, and b) these organizations had to have between 100 and 3,000 employees. The extensive survey was completed by respondents via an on-line survey system.

The median number of employees at the organizations surveyed was 700 and the median number of email users was 600. The organizations surveyed had a median of five locations in which they operated and they operated in a median of one country.



SURVEY FINDINGS RANSOMWARE AND PHISHING ARE THE LEADING CONCERNS Our research found that ransomware and phishing are the leading concerns for SMB decision makers, followed by data breaches, targeted attacks/zero-day exploits, and malware infiltration through HTTPS/SSL web traffic, as shown in Figure 2. The appearance among the “Top 5” threats of exposure to threats delivered via encrypted HTTPS connections is considered a notable development.

When comparing these results to those from last year’s Cyren-Osterman Research survey (published in July 2016), most notable is ransomware’s leap from fourth to first place, displacing phishing at the top of the list of concerns. This is most likely because of the massive increase in ransomware during 2016 and 2017 and heightened awareness from global publicity around attacks like WannaCry and Petya/NotPetya, not discounting the surprising rate of successful ransomware infections reported by SMBs themselves..

The issues of least concern to security-focused decision makers are those related to employee behavior: watching videos for personal reasons, web surfing in violation of corporate policy, the use of social media for personal use. Similarly, most decision makers do not put a high priority on the problem of shadow IT in their organizations.

Figure 2 Organizational Concerns About Security Issues Percentage responding “concerned” or “extremely concerned”



IT Security at SMBs: 2017 Benchmarking Survey ORGANIZATIONS ARE SUFFERING INFECTIONS AND BREACHES

As shown in Figure 3, 68 percent of organizations report they are aware of some sort of security incident during the past 12 months. The most common types of security incidents were various types of malware infections, successful phishing attacks, and successful ransomware attacks.

Figure 3 Breach or Infection Types Experienced During the Past 12 Months


When comparing this year’s results to last year’s we found some interesting similarities and differences:

• A similar proportion of organizations had experienced some type of security incident during thepast 12 months: 68 percent in the 2017 survey versus 71 percent in 2016.

• Virus- and/or worm-related attacks were more common in this year’s survey (43 percent)compared to last year’s (36 percent).


IT Security at SMBs: 2017 Benchmarking Survey CURRENT WEB SECURITY CONSIDERED INADEQUATE

We wanted to discover if SMB decision makers think their organizations are doing a good job with regard to protecting their organizations. As shown in Figure 4, the answer is preponderantly “no”. A minority believe their security is performing well across the top five identified areas of concern. For example, only 44 percent of decision makers believe their organizations are doing “well” or “extremely well” against ransomware attacks, and only 39 percent feel this way about phishing attacks.

Figure 4 How Well do Organizations Meet Their Security Challenges? Percentage responding “well” or “extremely well”



IT Security at SMBs: 2017 Benchmarking Survey SECURITY GAPS REINFORCE DEMAND FOR NEW APPROACHES

A clear way of understanding the priorities of IT security managers is to compare their responses and examine the revealed “Security Gaps” – the distance between an organization’s expressed level of concern about an issue and the level of protection they consider they have in place, as shown in Figure 5. The biggest security gaps – those areas that indicate the greatest discrepancy between concern and confidence in protection – are precisely in the most critical areas of security protection, with concern about phishing attacks on average outstripping by 22 percent the ability to prevent them, followed by data breaches (20 percent) and ransomware attacks (18 percent).

By contrast, the (only) two areas in which a majority of security managers believe their systems are performing well exhibit the reverse relationship – when it comes to endpoints compromised by botnets and employees surfing porn sites, respondents judge that their current ability to manage the problem far outstrips it’s actual importance. Both show a “negative security gap” of over 20 points. One could infer that these companies are “overinvested” in these areas, and that in evaluating and acquiring new solutions, IT managers will focus new investments on the critical security gaps.

Figure 5 Security Gaps: Comparison of Concerns vs. Perceived Level of Protection

Issue Level of Concern

Perceived Protection

Security Gap %

Phishing attacks 61% 39% 22% A breach of sensitive or confidential data 54% 34% 20%

Ransomware attacks 62% 44% 18% Targeted attacks/zero-day exploits 41% 39% 2% Malware infiltration through HTTPS/SSL web traffic

40% 44% -4%

“Shadow IT” – employees using unauthorized cloud apps and services 24% 28% -4%

Employees watching video content for personal reasons

13% 28% -15%

Employees using personal social networks at work

17% 33% -16%

Endpoints compromised by botnets 33% 54% -21%Employees surfing web sites that violate company policies (e.g., porn sites)

16% 52% -26%



IT Security at SMBs: 2017 Benchmarking Survey EFFECTIVENESS OF SECURITY IS THE MOST IMPORTANT

Given the current threat environment, SMB decision makers are heavily focused on the effectiveness of the security offerings they deploy in their organization, as shown in Figure 6. The second most important issue is the speed with which new defenses are applied to new threats, implying that decision makers are increasingly cognizant of the fact that today’s threats morph quickly and require rapid response from the security infrastructure protecting them.

Figure 6 Key Issues for Email and Web Security Percentage responding “very important” or “of the highest importance”


The initial cost of product acquisition and the ongoing total lifecycle cost are much less important decision factors among SMBs, considered “very important” or “of the highest importance” by fewer than two in five decision makers. We found similar results in the 2016 survey, when these two issues were of the least importance, particularly compared to security effectiveness.

Worth mentioning is the fact that ease of ongoing management was rated far more highly than ease of initial deployment – this appears to tie back to the low(est) ranking of initial cost considerations. Essentially, managers appear to be saying that they are willing to trade off cost and initial effort, provided the solution delivers real security (avoiding costs down the road) and is automated or does not demand resources once it’s up and running.


IT Security at SMBs: 2017 Benchmarking Survey WEB SECURITY IS FOCUSED HEAVILY ON THE ENDPOINT

The vast majority of SMBs have deployed endpoint anti-virus capabilities as a component of their web security solution, followed by on-premises installations of firewalls, secure web gateway appliances and software installed on in-house servers, as shown in Figure 7.

Figure 7 Methods by Which Organizations Have Deployed Web Security


The rankings for the top five web security deployment methods in the 2017 survey are nearly identical to the results we discovered in the 2016 survey: the only difference is that instead of secure web gateways and software installed on in-house servers ranked third and fourth, respectively, their positions were reversed in 2016.

Where we did find a significant difference, however, is in the proportion of SMBs that do not have web security. As shown in Figure 7, only one percent of organizations reported that they do not have any form of web security installed, whereas this figure was six percent in 2016. In short, some measure of web security is now nearly universal among SMBs.


IT Security at SMBs: 2017 Benchmarking Survey SSL INSPECTION NOW FOURTH-MOST DESIRED FEATURE FOR WEB

SECURITY Our research this year found that the consensus most important feature in evaluating a web security solution is inline anti-malware, followed by URL filtering, DLP, HTTPS/SSL traffic inspection, and reporting and logging, as shown in Figure 8. The move by the web to HTTPS, with over half of global web traffic now SSL-encrypted, is certainly driving the prominence of SSL inspection. Studies have shown a similarly growing use of SSL for malware distribution, which is essentially hidden to security systems which are not performing SSL traffic inspection. Considered least important by the group as part of a web security solution, and echoing other data points discovered in the survey, is the ability to control shadow IT within an organization. There is also not a consensus yet in the market on the importance of advanced threat prevention capabilities like sandboxing, with only a third considering such a feature as “very important” or of the “highest importance”. Figure 8 Importance of Features for Web Security Percentage responding “very important” or “of the highest importance”

Source: Osterman Research, Inc. When comparing this year’s survey results with those from 2016, we found that the five most important features for a web security solution this year are the same as last year, albeit in a slightly different order and with slightly different proportions of those considering these features to be highly important.


IT Security at SMBs: 2017 Benchmarking Survey URL FILTERING IS THE MOST DEPLOYED WEB SECURITY FUNCTION

More than one-half of businesses have deployed URL filtering, inline anti-malware, reporting/logging and HTTPS/SSL inspection, as shown in Figure 9. Least commonly deployed capabilities among SMBs include sandboxing and sandboxing forensic reports, the discovery and control of shadow IT, and post-infection incident management reports. The high cost of traditional sandboxing appliances has likely been an impediment to their deployment for this market segment.

Figure 9 Web Security Capabilities in Use Today


When comparing the 2017 results to the 2016 survey, the top two web security capabilities in use in 2017 are the same as those reported in use last year.


IT Security at SMBs: 2017 Benchmarking Survey WEB SECURITY IS USED TO PROTECT REMOTE LOCATIONS AND USERS

As shown in Figure 10, a significant majority of SMBs use their web security capabilities to protect multiple remote office or store locations, as well as to protect employees’ laptop computers from infection when they are roaming off-network. Only roughly half protect company-issued mobile devices, which drops to 21 percent when the devices are BYOD.

Only approximately half protect their guest Wi-Fi network users, and enforce usage policies by the same.

Figure 10 Mobile and Remote Use Cases for Web Security



IT Security at SMBs: 2017 Benchmarking Survey ENDPOINT PROTECTION IS WIDELY USED TO PROTECT REMOTE

OFFICES The most common method by which web use at remote offices is protected is through endpoint protection technologies, as shown in Figure 11. About one-half of SMBs use local gateways at the remote locations and slightly more than one-third backhaul traffic to a centralized data center.

Figure 11 Methods by Which Web Use is Protected at Remote Offices


When comparing the current survey’s results to last year’s, we found that the results were largely similar: endpoint protection, use of local gateways and traffic backhauling are the three most common methods of protecting web use at remote offices today and they were last year, as well.


IT Security at SMBs: 2017 Benchmarking Survey ENDPOINT PROTECTION AND VPN CONNECTIONS RELIED ON TO

PROTECT ROAMING LAPTOPS AND REMOTE USERS When SMBs protect laptop use for travelling or remote users, they most commonly do so using endpoint protection technologies and requiring remote access VPN connections, as shown in Figure 12. Cloud-based security from a SaaS provider is now used by 21 percent of SMBs for protectingremote users.

Figure 12 How Organizations Protect Laptop Use for Remote Users



IT Security at SMBs: 2017 Benchmarking Survey CLOUD EMAIL PLATFORMS NOW SPLIT MARKET WITH ON-PREMISES

Microsoft continues to be successful in migrating its on-premises Exchange user base into the cloud, moving roughly 50,000 users into Office 365 during a typical month.

Coupled with the growth of other hosted email services, the result has been to drive the SMB email market “to the cloud,” with on-premises and cloud SaaS platforms now at parity, as shown in Figure 13 – exactly 50 percent of the respondents run their email on-premises, with the other half apprised of Office 365/Exchange Online, Google Gmail, or virtual hosted external servers. Over the next couple of years, Osterman Research anticipates that the number of Office 365 users will significantly outweigh the number using on-premises Exchange.

Figure 13 Email Platforms in Use


The migration of users from on-premises email platforms to those in the cloud will have significant implications for email security, particularly because the traditional, on-premises email security model doesn’t work quite as well in a cloud-based email world.


IT Security at SMBs: 2017 Benchmarking Survey EMAIL SECURITY HAS ALREADY MOVED TO THE CLOUD

As shown in Figure 14, the story in terms of deployment models for email security is that cloud-based security is now well-established – over half (57 percent) of businesses rely on cloud-based email security, either subscribing to a secure email gateway service in the cloud (28 percent), or relying on the security included in their cloud-based, hosted email provider.

Figure 14 Methods by Which Email Security Has Been Deployed


As more email users are migrated to cloud-based email, particularly Office 365, we anticipate that the data shown in the figures above will change significantly to a much larger proportion of both email security that is provided natively within the cloud email offering, as well as security from specialist providers. While this will not mean the complete demise of on-premises email, the proportion of on-premises anti-virus and other security will continue to decline.


IT Security at SMBs: 2017 Benchmarking Survey EMAIL SECURITY IS FOCUSED ON THE BASICS

In evaluating an email security solution, there is quite a “long tail” of feature preferences, with near-consensus around two “foundational” capabilities: anti-malware/anti-ransomware protection, and anti-phishing/anti-spoofing protection, as shown in Figure 15. These were by no means surprising findings, given that ransomware and phishing are the two leading concerns among SMB decision makers. It’s noteworthy that anti-spam protection continues to be a relatively high priority as a feature of email security, and that email continuity was rated, on average, well ahead of many other features. Also as shown in Figure 15, in terms of weighting their importance, SMBs are not quite as interested in the minutiae surrounding email-related attacks, as evidenced by the much lower importance of capabilities like granular message tracking, and reporting and dashboards that can provide a summary view of attacks. This may be due to the fact that many SMBs do not have a sufficient number of dedicated IT security staff available to do a deep dive on email security, and so are more reliant on their service providers or on solution automation to deal with operational details. Figure 15 Importance of Various Features for Email Security Percentage responding “very important” or “of the highest importance”



IT Security at SMBs: 2017 Benchmarking Survey ONLY 20 PERCENT HAVE DEPLOYED ADVANCED EMAIL SECURITY

The vast majority of SMBs have in fact got some form of protection for the “basics” in place, anti-spam (91 percent) and anti-malware/anti-ransomware protection (87 percent) as part of their email security capabilities today, as shown in Figure 16. Interestingly, despite the fact that anti-phishing/anti-spoofing capabilities are regarded as “very important” or “of the highest importance” by 83 percent of SMBs, only 69 percent of organizations report these capabilities as part of their email security solution.

More advanced threat protection capabilities like time-of-click protection and sandboxing have only been deployed by one-fifth of SMBs to date.

Figure 16 Current Email Security Capabilities in Use Today



IT Security at SMBs: 2017 Benchmarking Survey DEPLOYMENT GAP: WHAT THEY WANT VS. WHAT THEY HAVE

As an exercise, we wanted to compare the perceived importance of the email security features noted in the two figures above with their actual deployment. What we found, as shown in Figure 17, is that some features that are considered less important, such as anti-spam protection, are more commonly deployed as part of email security solutions; while some features that are considered more important, such as DLP, sandboxing and time-of-click protection, are not as widely deployed. This lack of deployment for several key features of email security points to a “deployment” gap, and underscores likely areas of future investment.

Figure 17 Comparison of Feature Importance vs. Deployment in Email Security Solutions

Feature Importance of Feature

Deployment of Feature

Deployment Gap %

Email continuity 61% 34% 27% Time-of-click protection 46% 21% 25% Data Loss Prevention (DLP) 58% 34% 24% Granular message tracking/reporting 40% 25% 15% Anti-phishing/spoofing protection 83% 69% 14% Sandboxing 32% 19% 13% Ease of policy management 40% 31% 9% Email encryption 48% 42% 6% User controls—quarantine, lists 56% 51% 5%

Dashboards, attacks summary view 40% 38% 2%

Reporting/compliance 47% 47% 0% Anti-malware/ransomware 84% 87% -3%

Archiving/e-discovery/auditing 36% 42% -6%

Anti-spam protection 63% 91% -28%



IT Security at SMBs: 2017 Benchmarking Survey MARKET NOW SPLIT ON BEST-OF-BREED VS. INTEGRATION

Our research found that preference for integrated product suites that consolidate capabilities into a single platform has grown to 30 percent, nearly reaching parity with the 36 percent who still prefer to apply a philosophy of acquiring “best-of-breed” point solutions for different aspects of security. The other one-third of organizations are agnostic with respect to their approach. Figure 18 Preferred Approaches to Deploying Security



IT Security at SMBs: 2017 Benchmarking Survey CLOUD-BASED SECURITY PREFERENCE UP FROM 2016

The preference in terms of architecture or deployment model for security solutions is now nearly balanced in the market, with 32 percent expressing a preference for on-premises solutions, and 29 percent expressing a strong preference for cloud-based services. However, we note the preference for cloud-based security is up significantly from last year – in the 2016 Cyren-Osterman Research survey, the cloud-based service preference was expressed by 21 percent of SMBs. Thirty-nine percent expressed no strong preference, also a sharp increase from a year ago, where only 11 percent said they were agnostic on the question. Essentially, comparing last year and this year’s surveys shows a notable increase in preference for SaaS security, a significant increase in “no preference”, and a sharp drop from 67 percent to 39 percent in expressed preference for on-premises solutions. Figure 19 Preferred Approaches for Deploying Security Capabilities



IT Security at SMBs: 2017 Benchmarking Survey SECURITY STAFFING IS CONSTRAINED

As shown in Figure 20, 35 percent of the SMBs surveyed have fewer than one full-time equivalent (FTE) security-focused staff member per 1,000 employees, while another 11 percent has fewer than two security staffers per 1,000 employees. In terms of nominal responses, we found that over half (52 percent) of the organizations surveyed reported two or fewer security staff members, with the figure rising to 80 percent for the smallest cohort, with 100-500 employees. One-quarter of all SMBs have only one dedicated security headcount, with eight percent reporting no IT staff fully focused on security. For those with 100-500 employees, half have 1 or no IT security staff (10 percent reporting none). This indicates that many organizations, particularly smaller SMBs, have only minimal security expertise in-house to deal with security incidents and other security issues. It may also indicate the strong push by these understaffed firms to move more and more security functionality to the cloud and other specialist providers. Figure 20 Penetration of IT Security Staff Among SMBs Number of security-focused full-time equivalent staff members per 1,000 employees



IT Security at SMBs: 2017 Benchmarking Survey SECURITY INVESTMENT JUMPED FOR THE SECOND YEAR IN A ROW

As shown in Figure 21, more than three in five of the SMBs surveyed reported that their security spending increased during the previous 12 months, while only two percent reported a decline in spending and 35 percent maintained their budget status quo. The mean increase among organizations that reported one was 26 percent. Considering all respondents, average budget growth for IT security during the past 12 months was a robust 16.9 percent, which is on top of a 20.6 percent increase for the prior year reported in the 2016 Cyren-Osterman Research survey. Figure 21 Changes in Security Spending During the Previous 12 Months Percentage of Organizations

Source: Osterman Research, Inc. What this clearly indicates is that security is an area of rising spending for the vast majority of SMBs, understandable given the enormous increases we have witnessed in ransomware attacks, spearphishing, CEO Fraud/Business Email Compromise/whaling attacks, and other sophisticated security attacks during the past couple of years. While we don’t anticipate that security spending will continue to increase at such a vigorous pace indefinitely, SMBs clearly have their hands full in dealing with the growing variety and sophistication of threats. The research demonstrated that after a major security breach, SMBs will spend an average of 152 person-hours addressing the issues following the breach.


IT Security at SMBs: 2017 Benchmarking Survey © 2017 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

it security at smbs - 2017 benchmarking survey · in order to participate in the survey,...

Documents