Are You Spending Enough On IT Security?

IDC Report Focuses on How Real the Threat Actually is for Canadian Businesses

How much is your company spending on IT security? According to most analyst numbers, an average of 14% of the IT budget should be shelled out each year to safeguard a business. The reality is that less than a quarter of companies are spending even near that much.

What Was Revealed in the Report?

In a report by the International Data Corporation (IDC) that focused on Canadian companies’ security budgets, some startling statistics were revealed. The IDC, which is a global provider of market intelligence in information technology, surveyed over 200 Canadian companies. In the survey, they calculated that while the average company spent a little under 10% on IT security, the budget was mixed and varied dependent upon the company. The report states that the majority of businesses’ data security budget was subject to how smart that company’s methodology was at combating hacking.

IDC broke down the Canadian firms they surveyed into four main groups:

Egotists

17% of the businesses surveyed are what the IDC labeled as Egotists. This group has a grasp on security, spending about 12% of its IT budget on security. However, the IDC points out that even though these Canadian companies are doing some things right, their overconfidence could easily be their downfall.

Realists

Nearly a quarter of the companies fell into what the IDC labeled as the Realist category. Realist’s cybersecurity budgets are the highest, spending around 14% of their money on IT solutions. These organizations understand that a constant battle must be waged against hackers, and they can never let their guard down. They devote a lot of energy to analyzing and comparing their performance to that of their industry peers.

Denialists

The highest percentage, 37% of companies surveyed, tend to bury their head in the sand when it comes to cyber security. Their goal is to focus on installing new technologies in an attempt to solve the security problem instead of investing in processes that are secure. They also fail to train their staff about cyber security, which leads to more employee caused hacks.

Defeatists

About 25% of the firms examined fell into what the IDC says is the worst of all the categories—the Defeatists. They’re terrible at security, and they fully admit to their failures. Their strategy leans mostly on throwing a small budget at the wall and seeing what sticks. They tend to spend an average of only 6% of their IT budget on security, since they don’t think anything is really going to work anyway.

Which Type of Companies Spend the Most on Cyber Security?

The IDC reports that the three industries who will spend the most on security solutions in 2018 are banking, discrete manufacturing, and the federal government. These three groups will spend more than $27 billion combined.

The four industries that will see spending greater than $5.0 billion this year are process manufacturing, professional services, consumers, and telecommunications. The IDC also reports the industries that will encounter the fastest spending increase over the 2016-2021 forecast period will be telecommunications, education, state and local governments, and the resource industries.

How Much Should Be Spent on Cyber Security Awareness?

The IDC’s survey pointed out the importance of training the company’s non-technical employees. On average, results of the IDC survey revealed the companies that fell into the realist category spent about 24% of their IT security budget on employee awareness and education. They understand that employees are the weakest link when it comes to cyber security. People who are not well-trained to spot phishing schemes will click on suspicious links that could cripple your entire IT infrastructure.

How is the Spending on Cyber Security Broken Down?

The IDC strongly points out that not every dollar with a security benefit inevitably shows up in a company’s security budget. For example, a company might purchase a tool to locate network anomalies. This would fall under a clear security-related purchase. However, if the tool isn’t integrated into a wider detection and mitigation process within the company, it most likely won’t be effective for improving the company’s internet security.

An example of this is the attack against retail giant, Target’s point-of-sale (POS) systems in 2013/2014. The system triggered alarms, but Target’s information security team chose to ignore the warnings and not follow-up on the spotted activity. This inaction resulted in the loss of tens of millions of credit card numbers and hurt the store’s reputation with its loyal customer base.

On the other hand, an IT department that budgets for designing a system of repeatable and automated processes before it invests in high-level detection tools is causing their infrastructure to be more secure, even if the chief purpose is system efficiency. It isn’t clear what portion of that shows up as a security line item or falls into another category.

Conclusion

There’s too much at stake these days not to stay on top of IT security for your Canadian business. Educate employees; invest in the best IT security solutions. Stay on top of what’s going on in the world of cyber security. Not spending enough on cyber security should not even be considered. But neither should spending money on fancy cyber security tools with no clear methodology or IT plan in place.

 

Author: Joe Martin, Date: 2018-09-06