by Allan Holmes

The Global State of Information Security 2006: Big Firms vs. Small Firms.

Sep 15, 20062 mins
IT Strategy

When it comes to security, bigger isn’t always better.

Sure, large companies tend to have more strategic and effective security operations than smaller companies, so they should have fewer breaches and less negative ¿fallout from attacks. Right?

Wrong. Our survey found that mid-market companies (those with revenue between $100 million and $1 billion) experienced fewer security breaches than their larger counterparts. Nearly 30 percent of midsize companies claimed their security measures have never been compromised compared with just 16 percent of larger enterprises.

Bigger companies also have less of a handle on what’s happening in their (larger) networks. They’re less likely than their smaller counterparts to know how many security breaches they’ve had (42 percent of the bigger companies had no clue versus 29 percent of midsize companies and 16 percent of the small-market companies, those with less than $100 million in revenue).

Bigger budgets and more security staff also make no difference when it comes to recovering from an attack. The percentage of midsize companies that experienced network downtime lasting more than a day matches the figure for large companies: about 10 percent.

Finally, midsize companies have a slightly clearer picture of the losses they sustain in an attack. Fifty-five percent knew the extent of their financial losses; just 51 percent of large companies could make the same claim.

Why is this so? Security specialists cite two factors to explain the discrepancies between the actions and outcomes of the big guys and their smaller counterparts.

Larger companies most likely sustain more cyberattack attempts than smaller ones because the returns to the evil-doer are greater if the attack succeeds. Big companies also tend to be more complex and keeping tabs becomes challenging, to say the least. But the experts say the gap between mid- and large-market companies might have been even wider if the larger companies had not followed more strategic security practices. The lesson here is that midsize companies might reduce the number of security breaches they experience (and the damage caused by them) if they did the same.