Virtually all modern organizations are built on the foundation of one essential technology: a reliable, high-performance network. In a recent report, Aberdeen suggests four actions that every SMB (Small and Mid-size Business) should take with respect to network security.
Network Security for Small and Mid-size Businesses
Your Business is the End – Your Network is an Essential Means
For small and mid-size businesses to stay competitive and achieve their business objectives, SMB networks, that may have initially been designed simply to support internal activities, now need to adapt, integrate, and keep up with the waves of disruptive changes in IT infrastructure that have occurred in recent years – which include mobility, social collaboration, virtualization and cloud computing, among others.
Once organizations get to even a modest size, they need to adopt a strategy for networking that delivers fast and reliable service, support for a dynamic mix of access and connectivity, and flexibility for future growth. Networking is one of the core information technologies that makes all these other services possible, and it demands ongoing focus.
Security risks have become an issue, and smaller organisations would be unwise to believe that they are somehow immune. Compliance brings another set of requirements that many SMBs are now compelled to achieve and sustain, which may include industry regulations (e.g., security standards for payment card data under PCI DDS – Payment Card Industry Data Security Standard), government regulations, customer requirements (e.g. Recent trends towards larger enterprises being required to validate minimum standards for security throughout their supply chains) or all three.
Aberdeen’s most recent analysis of more than 120 SMBs shows that the drivers for the current investments in security continue to be dominated by risks and compliance, as shown in Table 1.
For the SMBs in Aberdeen’s study, risk as a driver for current investments in security has several dimensions, listed here in descending order:
- Avoid negative publicity (e.g., damage to reputation/brand) – nearly half (47%) of all SMBs
- Respond to security-related incidents that were actually experienced in the last 12 months – one-third (34%) of all SMBs
- Protect against disruptions to the business – nearly one-fourth (24%) of all SMBs
- Protect against vulnerabilities and threats (i.e., the potential for actual security-related incidents) – just over one-fifth (22%) of all SMBs
On the other hand, when asked about the most commonly experienced consequences of actual security-related incidents, SMB reported some curious contrasts between outcomes and intent. Specifically:
- Nearly four-fifths (79%) of SMBs cited loss of user productivity as a result of security incidents in the last 12 months, and nearly two-thirds (64%) experienced unplanned downtime or system outages – yet just 24% identified such disruptions as a driver for investment.
- Just 8% of SMBs indicated that they had experienced fines or penalties for non-compliance – yet more than 40% identified at least one form of compliance as a driver for current investments.
- Nearly a third (31%) of SMBs reported that they had experienced a compromise of sensitive data in the last 12 months – which does seem to align with the 34% who cited actual security incidents as a driver for investments.
This apparent gap between what SMBs say they are looking for from their investments in security, and what they say they are actually achieving from those investments, underscores the previous point: that the operational context for SMBs has significantly changed, and that SMBs need to develop a deliberate strategy for networking as a foundational, enabling technology. This in turn requires a focused, disciplined approach to network security.
An Essential Question All SMBs Need to Address: Are Security and Compliance Merely Important, or Are They Actually Strategic?
As Aberdeen has described in Managed Security Services: When It’s Time to Stop Going IT Alone (August 2014), an essential issue that all small and mid-size businesses need to reconcile is that security and compliance are unquestionably desirable and important; i.e. they clearly merit serious attention – but at the same time, it’s also clear that SMBs don’t exist merely to manage security and sustain compliance. On the contrary, SMBs exist chiefly to pursue their strategic business objectives of serving customers, profit, growth, expanding markets, differentiating themselves from competitors, and so on. Many things in IT can be extremely important, but not at all strategic – for example, payroll.
Market Trends Show High Growth in Network Security Services
Aberdeen’s benchmark research helps to show how SMBs have been answering these questions to date, and how they intend to address selected aspects of network security going forward (see Table 2). In the specific network security solution categories of firewalls, intrusion detection, network scanning and continuous security monitoring, SMBs in Aberdeen’s study indicate very strong growth in network security services – in fact, the majority of new deployments are choosing services over in-house implementations. The clear majority of new implementations are opting for network security services, as opposed to doing it in-house.
A final consideration for network security for small and mid-size businesses is to appreciate the costs of security-related business disruptions, data breaches and operational expenses of a do-it-yourself approach – which may be higher than many SMBs may think.
- Aberdeen’s estimate for the risk of unplanned downtime is between 0% and 2.8% of annual revenue (80% confidence interval), with a median annual cost of 0.8% – or about $400,000 for every $50M in annual revenue.
- For the risk of a data breach, Aberdeen’s estimate is between 0.5% and 6% of annual revenue (80% confidence interval), with a median annual cost of 2.3% which is more than $1.1M for every $50M in annual revenue.
With respect to the operational expenses of network security, Aberdeen’s analysis of SMB survey responses supports a simple estimate of the relative advantage of using selected network security services, compared to traditional, in-house approach:
- Network firewalls – 57% lower operational costs, on average
- Intrusion detection – 3% lower operational costs, on average
- Network security monitoring – 45% lower operational costs, on average
Summary and Key Takeaways
- Most small and mid-size businesses (SMBs) today are built on the foundation of one essential technology: a reliable, high-performance network.
- Once they get to even a modest size, SMBs need to adopt a strategy for networking that delivers fast and reliable service.
- The drivers for current investments in security by small and mid-size businesses are dominated by risks and compliance.
- SMBs need to make a build-or-buy decision about network security.
- Aberdeen benchmark research suggests 30% to 60% growth in network security services for SMBs, compared to low or no growth in traditional, in-house deployments.
- The costs of security-related business disruptions, data breaches and operational expenses of a do-it-yourself approach is higher than many SMBs may think.
Aberdeen Group has been an international research partner of Nebula since 2010. With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.
Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.
Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za.