Companies are ready to take a risk, ignoring IT strategy

According to Kaspersky Lab’s 2014 IT Security Risks summary report, conducted in collaboration with B2B International, 94% of companies have experienced some form of external security incidents within the past 12 months. But despite this nearly-universal rate of encounters with cybercrime, businesses tend to prioritize IT spending – which includes IT security – quite differently depending on their size.

The survey found that businesses with fewer than 100 employees are significantly less likely to prioritize their IT strategy than larger businesses, potentially leaving smaller businesses with security gaps that could cripple these growing companies. Only 19% of companies with fewer than 25 employees ranked IT Strategy as one of their top strategic concerns, and this response rate was almost the same – 21% - for businesses with 26-99 employees. But in businesses with 100 employees or more, the rate of IT Strategy prioritization rose sharply to 30% or higher, with 35% of enterprises ranking IT Strategy as one of their top two priorities.

IT Strategy Perceptions

Despite these facts about the continued growth of cybercrime, small and medium-sized businesses are clearly regarding their IT strategy, and by extension their IT security, as less important than their larger competitors. In fact, market research shows us that very small businesses tend to underestimate IT-threats the most. One reason for this lack of security awareness can be traced back to the mindset of “security by obscurity,” a common assumption that cybercriminals won’t waste their time targeting small businesses, and that small businesses don’t have anything worth stealing to begin with. In fact, some cybercriminals prefer targeting SMBs instead of larger businesses, since they know that small and medium companies are often not fully protected, leading thefts that are smaller in value, but much easier to accomplish. In fact, this latest survey data shows that even SMBs with only 100 employees can expect to pay hefty costs resulting from malware infection and data loss. These costs can include professional services to advise companies after a serious incident ($10,000 average cost for SMBs), IT training for staff to prevent further breaches ($5,000 average cost for SMBs), as well as damage to the businesses reputation, which by itself can be enough to bankrupt a small business.

Across Regions and Industry Verticals

 IT Security Risks Survey 2014 found that differing levels of IT strategy prioritization was influenced not only by the size of the business, but also by the industry the business operates within. IT Strategy is one of the top two strategic concerns for over one-third of all Telecoms (40%), IT/Software providers (36%), Government/Defence organizations (35%), and Educational institutions (34%). Surprisingly, companies providing Consumer Services and E-commerce & Online Retail do not pay so much attention to IT strategy. Only 14% of E-Commerce & Online Retail companies consider development of IT strategy as a key strategic concern of the company (and only 4% of them consider it as the top priority), ranking this segment as the lowest rate of response.  

The survey also examined this attitude from a regional perspective, since security threats are widely spread around the world - about 33% of all users’ computers connected to the Internet were subjected to at least one web attack during Q1 2014. Looking at data across the regions we can see that IT Strategy is currently not a hot issue in Middle East and Emerging Markets, where only a shocking 5% and 10% of companies, respectively, feel that IT strategy is a one of the top two strategic concerns, compared to a significantly larger rate of prioritization reported in China (25%) and Russia (18%).

To learn more about the latest IT security risks read the Survey 2014: A Business Approach to Managing Data Security Threats.