What Do Those IT Security Stats Actually Mean?

What’s Your Ideal Office?
April 3, 2013
In Case of Emergency: Technology in Times of Crisis
April 17, 2013

Last week we tweeted a factoid that came to us via the Security Bistro blog: the average enterprise experiences a malware event roughly once every three minutes.

Scary? Sure, but it’s hard to understand what that kind of statistic means for the average business. In fact, throwing too many numbers around can cause eyes to glaze over.

Let’s examine another fact we found curtsey of Security Bistro, this time from a Webroot study: 8 in 10 companies experienced one or more kinds of Web-borne attacks in 2012.

Scary, relevant, or none of the above? Let’s dive into the numbers. First, that stat was calculated from an online survey Webroot conducted during December last year. The company targeted businesses in the US and UK that employed between 100 and 5000 people. The survey was completed by 500 “Web security decision-makers” from these businesses (404 American, 96 British).

So, that first stat could be rewritten to say: 400 English-speaking IT people believe their company experienced at least one Web-borne attack in 2012. OK, that doesn’t sound nearly as impressive as “8 in 10 companies,” but it’s certainly not a harmless sentence.

A quick LinkedIn search showed us that within the Raleigh-Durham metro area, there are around 440 companies that have between 200 and 5000 employees. That’s not a foolproof survey method by any stretch, but it gives us a number to work from.

If 80% of those companies reported a malware incident that’d make 352 infected companies in a given year; if we went with that 400 number as a total, though, the percentage of companies infected jumps from 80% to 90%. Either way, not getting protected from malware means you’re gambling that your company will beat out companies like Red Hat or Epic Games to be among the lucky ones not tripped up by the bad guys.

Does that sound like a safe bet to you?

When we first talk to a business about IT security, our main push is to get people into a new mindset of preventative services. Waiting until the malware arrives to call for a pro is always a bad idea. It’s like waiting for a cavity to go to the dentist: painful and expensive. Instead, it’s much better for a business to invest in security tactics like network monitoring to ensure that security patches are applied promptly and bad programs are caught in their tracks.

No matter how you juggle the numbers, one thing is clear: security should be an important of any business IT plan.