Cutting security budgets: risking your business
by Ernie Davitt, National Affairs Editor, ASM
The majority of small to medium Australian enterprises (SMEs) are cutting IT security budgets instead of increasing them, despite a management perception of increasing vulnerability.
A recent report by IT security analyst McAfee found that the average Australian SME breach cost companies well over $37,000. Fifty-four per cent of Australian SMEs had seen an increase in threats this year – with two-thirds believing that a serious IT breach could put them out of business.
One of the major findings of the report, entitled The Security Paradox, was that companies with fewer than 500 employees suffered more attacks on average than larger organisations.
Jo Stewart-Rattray, who is Director of Information Security for national accounting and business advisory firm RSM Bird Cameron, said organisations had taken their eyes off the security ball during 2009.
“During the GFC, security became a discretionary spend,” she said. “Organisations put the brakes on their spending for a while and then they took them off again, which made for a very jerky ride. This has caused a significant disruption in staff, strategy and operational activities in maintaining and improving the information security of our organisations.
“As a result, I think there’s a whole lot of risk bubbling under the surface that people are not aware of.”
Ms Stewart-Rattray said organisations needed to recognise that information security was about much more than just defending their perimeters.
“It is not enough to have anti-virus software and a firewall. As well as the challenges of the old chestnuts, such as the risks created by removable media, we have new challenges including vulnerabilities created by easy access to social media.”
“Security-smart organisations are increasingly utilising the principle of least privilege, where employees only get access to what they need to do their jobs. As awareness grows of this model, organisations recognise the need for a ‘trackable’ system where your movements through a corporate network are recognised and recorded as part of a standard security structure.”