One in four say senior management needs to be more aware of security issues

Raleigh, N.C., US, 7 December, 2007 – A new survey shows that nearly half of small companies in the United States believe that employees with a better knowledge of security issues and the part they play in a company’s IT set-up would help to improve network security, while one in four say that even management should be more aware of security issues and threats.

A survey of 455 IT executives in small and medium sized businesses in the US found that 48% said that awareness on security issues among employees – the ‘weakest link’ – was a key factor that could lead to better overall security.

The research carried out by polling company eMediaUSA on behalf of GFI Software, an international developer of network security, content security and messaging software, found that employees are not the only people who need to be ‘educated’. One in four IT executives want senior management to have a better understanding of security issues as this could have a bearing on the overall level of network security and, possibly, the range of security measures that could be implemented. Only 10% of SMBs said they would need more human resources while 12% said network security would improve if they had larger budgets.

The survey shows that 4 in 10 SMBs said their networks were not secure enough, with email viruses the major security threat. When asked what their major daily concerns are, 71% of respondents cited downtime and tackling security issues while 51% said user support was a daily concern.

According to Andre Muscat, Director of Engineering at GFI Software, these results highlight the growing effect that employees could have on a company’s security: “Computer users can be considered as the least predictable and controlled security vulnerability. In the majority of cases, a lack of education and an understanding of basic security principles and procedures are the main causes of security breaches rather than malicious activity – although the latter can never be ignored. And it takes so little for a security breach to occur.

“IT managers today have to dedicate more time and resources to deal with end-user support issues. The proliferation of consumer devices and the increasing number of employees using laptops, in and out of the office, have widened a network’s footprint and with that the associated increase in threats. As our survey shows, so has the workload for IT managers in SMBs,” he added.

From a financial perspective, the survey shows that spending on security measures was relatively low with 55% of SMBs saying they spent less than 10% of their IT budget on security. 38% said they allocated between 11% and 30% of the budget to security, while only 2% said they spent more than half of the budget on security.

Despite fewer resources being allocated to security, more than three quarters of respondents were satisfied (77%) and felt that their budget was enough to cover their security requirements. However, the survey also showed that just over 50% of respondents found it difficult to convince management to invest in security solutions. Only 15% said it was very easy.

Commenting on this finding, Mr. Muscat said that it was likely that those who found it difficult to convince management to invest in security were trying to sell to management a solution that was not in their typical shopping cart.

“Most in senior management are familiar with the traditional security products, namely anti-virus, anti-spam and a firewall. IT managers encounter few problems purchasing these products however convincing management to spend on vulnerability management, event log management and email management and archiving solutions is another matter altogether. And this might well explain why 25% feel that management needs to be more aware of security threats facing companies today.”

According to the survey, the shopping list for SMBs in the US in the coming six months includes network monitoring (31%), email management (29/%), network scanning (26%) and anti-virus (26%) solutions. 15% plan to implement endpoint security or patch management (16%) solutions in the coming six months.

A copy of the results can be found at: http://www.gfi.com/documents/rv/smbsurvey.pdf.