Cybersecurity Requires Electrons
It seems there is now a term for unutilized or under-utilized security hardware - "shelfware". That fact that a term exists would tend to indicate that it is a common problem.
According to a recent study by Washington-based Osterman Research, published by TechTarget, spending per user on security software was up $35/user in 2014, but the majority of that extra spending was for software that "is either not working as well as it can or hasn't been used at all." I can say with reasonable assurance that most SMBs cannot afford to spend that amount of money on security hardware and software that does nothing for them.
It goes without saying that security hardware and software are not much good in the package. And yet, many organizations seem to think that just the purchase solves some of their problems. I suppose that if your goal is to show an auditor that you bought the correct things, there might be a small benefit. Otherwise, the money might be better spent on office supplies.
I believe a more prevalent variant of this problem exists, which I will call "defaultware". This involves buying security hardware, installing it with default settings, and then assuming it is helping. Whether or not this is true depends to some degree on the hardware. As a general rule, higher-end firewalls work reasonably out of the box, but most wireless access points do not. In any event, it is essential to take some time with each item of security hardware and software installed to know how it works, and to confirm the appropriate settings.
Why does "defaultware" exist? According to Michael Osterman, president of Osterman Research, it is often difficult for IT staff to convince management on the importance of focusing on security exposures. Management will buy to recommended hardware or software, but other priorities prevent focusing on fully using what was purchased. Based on my own experience, in many cases, the IT team stays so busy dealing with the problem of the moment, that they often do not have time to focus on the more esoteric details.
One solution suggested by the study is for SMBs to use cloud-based or managed services, that involve security hardware/software that someone outside assumes responsibility for. This may seem more expensive on the surface, but is cheap as compared to spending $33/user on items that are not working.
The bottom line is that cyber security risk is not something that any company, either large enterprise or SMB, can afford to ignore. As Osterman put it, "Cyber criminals are very active in developing new techniques. Bad guys are getting very sophisticated and well funded..." We in the SMB world must use every tool at our disposal in an effort to keep up, and this includes getting every dollar's worth out of our security purchases.
