NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

Transcription

1 NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy for networking that delivers fast and reliable service, dynamic access, and flexible growth while also addressing security risks and sustaining compliance. SMBs need to have a focused, disciplined approach to network security currently, the consequences of security incidents actually experienced by SMBs don t align well with their reasons for investing in security in the first place. SMBs need to make a build-or-buy decision about network security Aberdeen s study suggests 30% to 60% growth in network security services for SMBs, compared to low or no growth in traditional, in-house deployments. SMBs should develop an appreciation of the costs of securityrelated business disruptions, data breaches and operational expenses of do-ityourself network security which may be higher than many SMBs may think. Like virtually all modern organizations, most small and mid-size businesses (SMBs) today are built on the foundation of one essential technology: a reliable, high-performance network. Aberdeen s research suggests four actions that every SMB should take with respect to network security.

2 2 Once organizations get to even a modest size, they need to adopt a strategy for networking that delivers fast and reliable service, support for a dynamic mix of access and connectivity, and flexibility for future growth while also addressing security risks, and sustaining requirements for regulatory compliance. A security incident refers to any event that attempts to compromise the confidentiality, integrity or availability of an information asset. A data compromise (or data breach) refers to a security incident which results in the confirmed disclosure of an information asset to an unauthorized party. Your Business is the End Your Network is an Essential Means Like virtually all modern organizations, most small and mid-size businesses (SMBs) today are built on the foundation of one essential technology: a reliable, high-performance network. For small and mid-size businesses to stay competitive and achieve their business objectives, SMB networks that may have initially been designed simply to support internal activities now need to adapt, integrate and keep up with the waves of disruptive changes in IT infrastructure that have rolled in over recent years which include mobility, social collaboration, virtualization and cloud computing, among others. Once organizations get to even a modest size, they need to adopt a strategy for networking that delivers fast and reliable service, support for a dynamic mix of access and connectivity, and flexibility for future growth. Networking is the one core information technology that makes all these other services possible, and it demands ongoing focus. Unfortunately, the list of requirements for today s SMB networks doesn t end there. Security risks have become an issue both in the headlines and in executive boardrooms, and smaller organizations would be unwise to believe that they are somehow immune. On the contrary, the 2015 Verizon Data Breach Investigations Report (DBIR) found that of the 694 security incidents investigated in detail that were experienced by smaller organizations, a whopping 573 (83%) resulted in a confirmed data compromise compared to a success rate of just 2% for all other organizations in the study. From the attacker s perspective: if you want to succeed, attack a SMB. Similarly, SMBs would be unwise to assume that they are not worth attacking they are, and if not for their own resources, then as a link in an increasingly interconnected supply chain. For example, SMBs are well known to be the attacker s preferred stepping stone towards compromise of a larger, more lucrative target.

3 3 Compliance brings another set of requirements that many SMBs are now compelled to achieve and sustain, which may include industry regulations (e.g., security standards for payment card data under PCI DSS), government regulations (e.g., HIPAA, HITECH), customer requirements (e.g., recent trends towards larger enterprises being required to validate minimum standards for security throughout their supply chains), or all three. Table 1: Drivers for SMB Investments are Not Aligned with Consequences of Actual Incidents Drivers for SMB Investments in Security Consequences of Actual Security Incidents Avoid negative publicity 47% 23% Damage to reputation or brand to reputation / brand Government regulations 41% Audit / Compliance-related incidents (actual) 21% Industry regulations 19% 8% Fines or penalties from non-compliance Security-related incidents (actual) 34% Vulnerabilities and threats (risk) 22% Business disruptions 24% 31% Compromise of sensitive data 79% Loss of user productivity 64% 11% Unplanned downtime or system outages Long-term loss of business (e.g., lost customers) 10% Material loss of revenue or profit Note: multiple responses accepted; percentages do not add to 100% (N = 121) Source: Aberdeen Group, September 2015 What SMBs Want from Their Investments in Security and What They re Actually Achieving Consistent with dozens of benchmark studies over several years, it comes as no surprise in Aberdeen s most recent analysis of

4 4 The drivers for current investments in security by small and mid-size businesses continue to be dominated by risks and compliance but the consequences of the security incidents actually experienced by SMBs don t necessarily align very well with their reasons for investing in security in the first place. Security and compliance demand that SMBs have a focused, disciplined approach. more than 120 SMBs that the drivers for their current investments in security continue to be dominated by risks and compliance, as shown in Table 1. For the SMBs in Aberdeen s study, risk as a driver for current investments in security has several dimensions, listed here in descending order: Avoid negative publicity (e.g., damage to reputation / brand) nearly half (47%)of all SMBs Respond to security-related incidents that were actually experienced in the last 12 months one-third (34%) of all SMBs Protect against disruptions to the business nearly one-fourth (24%) of all SMBs Protect against vulnerabilities and threats (i.e., the potential for actual security-related incidents) just over one-fifth (22%) of all SMBs As a driver for current investments in security, note that SMBs took compliance with government regulations much more seriously (41%) than compliance with industry regulations (19%), or problems with compliance certifications or audits that were actually experienced in the last 12 months (21%). This finding is most likely proportionate to the current level of enforcement, fines and penalties for non-compliance that SMBs have actually encountered. Nothing is less effective than a strict compliance requirement, weakly enforced. On the other hand, when asked about the most commonly experienced consequences of actual security-related incidents, SMBs reported some curious contrasts between outcomes and intent. Specifically:

5 5 Nearly four-fifths (79%) of SMBs cited loss of user productivity as a result of security incidents in the last 12 months, and nearly two-thirds (64%) experienced unplanned downtime or system outages yet just 24% identified such disruptions as a driver for investment. Just 8% of SMBs indicated that they had experienced fines or penalties for non-compliance yet more than 40% identified at least one form of compliance as a driver for current investments. Nearly a third (31%) of SMBs reported that they had experienced a compromise of sensitive data in the last 12 months which does seem to align with the 34% who cited actual security incidents as a driver for investment. This apparent gap between what SMBs say they are looking for from their investments in security, and what they say they are actually achieving from those investments, underscores the previous point: that the operational context for SMBs has significantly changed, and that SMBs need to develop a deliberate strategy for networking as a foundational, enabling technology. This in turn requires a focused, disciplined approach to network security. An Essential Question All SMBs Need to Address: Are Security and Compliance Merely Important, or Are They Actually Strategic? As Aberdeen has described in Managed Security Services: When It's Time to Stop Going IT Alone (August 2014), an essential issue that all small and mid-size businesses need to reconcile is that security and compliance are unquestionably desirable and important; i.e., they clearly merit serious attention but at the same time, it s also clear that SMBs don t exist merely to manage security and sustain compliance. On the contrary, SMBs exist chiefly to pursue their strategic business objectives of serving Quantifying the Business Impact of Security-Related Incidents Traditionally, security professionals have found it challenging to quantify the business impact of securityrelated incidents such as unplanned downtime or compromised data. In related research, Aberdeen has been applying the proven techniques of Monte Carlo modeling to raise the level of discipline around discussing these topics in terms of risk, as risk is properly defined i.e., in terms of both the likelihood of an incident, as well as the business impact if the incident does occur. Based on these models, Aberdeen has estimated the risk for these two specific areas which are two of the most commonly experienced consequences identified by SMBs as follows: The risk of unplanned downtime Median business impact of about 0.8% of annual revenue Business impact of between 0% and 2.8% of annual revenue, with 80% confidence The risk of a data breach Median business impact of about 2.3% of annual revenue Business impact of between 0.5% and 6% of annual revenue, with 80% confidence

6 6 Even if a given SMB has the resources (e.g., time, staff, budget) and capabilities (technical expertise) needed to implement traditional, on-premise network security solutions, is it really better off doing IT on its own or would it be better off leveraging the expertise, scale and scope of a third-party service provider? This essential question is one part can we, and one part should we. customers, profit, growth, expanding markets, differentiating themselves from competitors, and so on. Many things in IT can be extremely important, but not at all strategic for example, payroll. Another way to frame this essential question: even if a given SMB has the resources (e.g., time, staff, budget) and capabilities (technical expertise) needed to implement traditional, onpremise network security solutions, is it really better off doing IT on its own or would it be better off leveraging the expertise, scale and scope of a third-party service provider to address its network security requirements, freeing up its own resources for its own business? Network security service providers can provide SMBs with the network access, bandwidth, performance, security, compliance and monitoring capabilities they need while relieving them from the need to keep up with the latest technologies, hire the right experts, and make ongoing investments in new generations of networking hardware and software. For the SMB, the essential question is one part can we, and one part should we. Market Trends Show High Growth in Network Security Services Aberdeen s benchmark research helps to show how SMBs have been answering these questions to date, and how they intend to address selected aspects of network security going forward (see Table 2). In the specific network security solution categories of firewalls, intrusion detection, network scanning and continuous security monitoring, SMBs in Aberdeen s study indicate very strong growth in network security services in fact, the majority of new deployments are choosing services over inhouse implementations. Yes, these activities are important literally all SMBs have implemented firewalls, and a supermajority of SMBs has implemented solutions in the other three areas. But no, these activities are no longer being viewed

7 7 as strategic the clear majority of new implementations are opting for network security services, as opposed to doing it inhouse. Table 2: Aberdeen s Research Indicates High Growth for Network Security Services, as SMBs Increasingly Realize They re Better Off Not Going IT Alone Network Security Solution Category Overall Traditional / In-House Security Services Current Adoption Planned Growth Current Adoption Planned Growth Current Adoption Planned Growth Network firewalls 100% 2% 83% -7% 17% 50% Intrusion detection 83% 6% 63% -7% 20% 44% Network scanning 74% 20% 52% 14% 22% 35% Network security monitoring 24x7x365 More than one network security technology is typically deployed, so responses for current adoption do not add to 100%; current adoption refers to percentage of all SMB respondents (N=121); planned growth refers to planned deployments over the next 12 months. Source: Aberdeen Group, September 2015 Downtime, Data Breaches and Do-It-Yourself Network Security Costs SMBs More Than They May Think A final consideration for network security for small and mid-size businesses is to appreciate the costs of security-related business disruptions, data breaches and operational expenses of a do-ityourself approach which may be higher than many SMBs may think. As noted previously (see the sidebar on page 5): 70% 21% 52% 8% 18% 59% Aberdeen s estimate for the risk of unplanned downtime is between 0% and 2.8% of annual revenue (80% confidence interval), with a median annual cost of 0.8% or about $400,000 for every $50M in annual revenue.

8 8 Solution Selection Criteria In additional to quantitative comparisons of total annual cost, qualitative attributes to consider when selecting a network security services provider may include: Portfolio of managed services, professional services, and threat intelligence services Dedicated security expertise Global threat research and visibility Established customer base Industry thought leadership For the risk of a data breach, Aberdeen s estimate is between 0.5% and 6% of annual revenue (80% confidence interval), with a median annual cost of 2.3% which is more than $1.1M for every $50M in annual revenue. With respect to the operational expenses of network security, Aberdeen s analysis of SMB survey responses supports a simple estimate of the relative advantage of using selected network security services, compared to a traditional, in-house approach: Network firewalls 57% lower operational costs, on average Intrusion detection 3% lower operational costs, on average Network security monitoring 45% lower operational costs, on average Summary and Key Takeaways Most small and mid-size businesses (SMBs) today are built on the foundation of one essential technology: a reliable, high-performance network. Once they get to even a modest size, SMBs need to adopt a strategy for networking that delivers fast and reliable service, support for a dynamic mix of access and connectivity, and flexibility for future growth while also addressing security risks, and sustaining requirements for regulatory compliance. The drivers for current investments in security by small and mid-size businesses are dominated by risks and compliance but the consequences of the security incidents actually experienced by SMBs don t necessarily

9 9 align very well with their reasons for investing in security in the first place. Security and compliance demand that SMBs establish a focused, disciplined approach. SMBs need to make a build-or-buy decision about network security. Even if a given SMB has the resources (e.g., time, staff, budget) and capabilities (technical expertise) needed to implement traditional, on-premise network security solutions, is it really better off doing IT on its own or would it be better off leveraging the expertise, scale and scope of a third-party service provider? This essential question is one part can we, and one part should we. Aberdeen s benchmark research helps to show how SMBs have been answering these questions to date, and how they intend to address selected aspects of network security going forward. The research suggests 30% to 60% growth in network security services for SMBs, compared to low or no growth in traditional, in-house deployments. A final consideration for network security for small and mid-size businesses is to appreciate the costs of security-related business disruptions, data breaches and operational expenses of a do-it-yourself approach which may be higher than many SMBs may think: a median cost of 2.3% of annual revenue for a data breach, and a median annual cost of 0.8% of annual revenue for unplanned downtime as a result of security-related incidents, based on Aberdeen estimates.

10 10 For more information on this or other research topics, please visit. Understanding Your Risk (for Real) from Distributed Denial of Service Attacks; June 2015 Reconciling Enterprise Mobility and Employee Privacy: No Longer the Impossible Dream; April 2015 Flash Forward: Network Security in the Financial Services Sector; February 2015 Flash Forward: Putting Threat Intelligence in Perspective; December 2014 When Your IT Hits the Fan: Why Your Organization Needs an Incident Response Capability; Oct Related Research Flash Forward: Networks Designed for Growth, Not for Obsolescence; September 2014 Managed Security Services: When It's Time to Stop Going IT Alone; August 2014 Three Ways to Harden the Security of Your Campus Network; May 2014 The Most Popular Public Cloud Services, and the Technology that Makes Them Possible; February 2014 Author: Derek E. Brink, CISSP, Vice President and Research Fellow, IT Security and IT GRC About Aberdeen Group Since 1988, Aberdeen Group has published research that helps businesses worldwide improve their performance. Our analysts derive fact-based, vendor-neutral insights from a proprietary analytical framework, which identifies Best-in-Class organizations from primary research conducted with industry practitioners. The resulting research content is used by hundreds of thousands of business professionals to drive smarter decision-making and improve business strategies. Aberdeen Group is headquartered in Boston, Massachusetts, USA. This document is the result of primary research performed by Aberdeen Group and represents the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group and may not be reproduced, distributed, archived or transmitted in any form or by any means without prior written consent by Aberdeen Group