VIPRE REPORT: Price Reigns Supreme for Small Businesses When Choosing Their Endpoint Security
SUMMARY More than 70% of IT managers say budget considerations have forced them to compromise on security features yet price beats all other factors when companies of up to 500 employees purchase endpoint security. Additionally, although solution complexity is a problem, most IT managers have high confidence in their ability to defend against malware. The survey reveals an apparent acceptance of the inevitability that some malware attacks will occur, perhaps explaining why the focus on advanced features isn t as keen as it should be. It may also explain why ransomware, which has become the most prevalent cyber threat in the current landscape, doesn t even rank as the respondents top security threat. Instead, that distinction goes to web-based threats. When making endpoint security purchases, price overshadows all other criteria for IT managers at companies of up to 500 employees. Price is so important, in fact, that 71% of respondents in a recent survey say they ve had to settle for solutions with fewer features due to budget considerations. On the bright side, nearly all respondents (97%) agree their organizations need endpoint security. However, many are not terribly pleased with the choices available to them, with 67% saying security tools are too complex. This sentiment echoes a common complaint among IT and cybersecurity professionals. The survey, conducted by Opinion Matters on behalf of VIPRE, suggests a level of overconfidence by IT managers in their ability to defend against malware not supported by many of the findings. For instance, while most respondents would personally guarantee the safety of their customers data, almost half (48%) believe they don t need the advanced malware capabilities that would justify their confidence. As a whole, advanced malware protection doesn t come across as much of a priority, considering 50% of respondents said their endpoint security lacks advanced features. Settling for Less 71 % of IT Admins have settled for weaker endpoint security because of budget constraints. 2
PRICE MATTERS 63% of the IT professionals polled consider endpoint security tools too expensive and the number goes up to 73% for those at companies with the smallest security budgets $25,000 or less. It s no wonder, then, that 71% of respondents have had to buy more basic security, as opposed to the advanced protection that they need, due to price. Only 28% say doing so put their company at risk but the number jumps to 41% at companies that suffered a breach in the past year and 69% in the last four. Despite their collective show of frugality, 80% of respondents believe more expensive products offer better protection. This is likely a truer reflection of how much IT professionals think they should spend on endpoint security. While they would love a reality where skimping on price doesn t create risks, it is clear that spending more would make most of them feel better. Price ranked as the No. 1 deciding factor in endpoint security purchases (53%), followed by ease of use (47%), feature set (41%), support (34%), advanced detection technology (31%), and cloud-based management (29%). Ransomware prevention mustered only a 21% score an indication of overconfidence, considering how prevalent a threat it has become. The FBI says ransomware was responsible for $1 billion in cyber-extortion payments last year. 3
The survey revealed some ambivalence toward advanced features in general. Although 90% say they can afford them, only 31% look at advanced detection as a criterion for picking solutions. About 40% say they already have it, while 50% say they plan to get it. At companies with security budgets of less than $25,000, the number of those already protected by advanced features is actually higher at 50%. At those companies, 17% say they plan to invest in advanced protection, while 17% do not. Overall, 48% of respondents agreed with this statement: An organization of my size does not need endpoint security with advanced malware defense capabilities. This is another sign of uncertainty, which suggests a lack of understanding as to what advanced features means, something security vendors should address. Pricey Opinions 0 10 20 30 40 50 60 70 80 90 Free endpoint security products provide enough protection for organizations of my size I have more confidence in an endpoint security solution I pay for than a free product More expensive products generally provide superior protection than lower priced alternatives Pricing is easy to understand They are too expensive Survey respondents shared their views on endpoint security pricing, revealing that most IT admins agree that security vendors pricing schemes are easy to understand, but they believe endpoint security is too expensive. And while respondents mistakenly put more faith in more expensive products, many feel that free endpoint security provides adequate protection. DISAGREE AGREE 4
YOU GET WHAT YOU PAY FOR While 63% of survey respondents say free endpoint security products provide enough protection for organizations of my size, 90% say they have more confidence in products they buy than those available for free. At the smallest companies, the number of those who believe free endpoint security is sufficient is higher. It rises to 83% at companies with 5 to 24 employees, but drops to 61% less than the overall percentage at those with 25 to 50 employees. Unexpectedly, that number climbs among the largest companies surveyed (351 to 500 employees) to 67%. Perhaps more surprising, the number is even lower at companies with the smallest budgets 50%. It would seem the outlook on the efficacy of free products isn t directly related to company size or budget. #SecurityFail Coincidence? 70 % of IT admins at small businesses breached within the last year say free endpoint security products provide enough protection. Does it have to do with breach history, then? Not so. Respondents at companies that have suffered a breach in the last one to three years embrace free endpoint security to the tune of 70%. At face value, the finding is shocking. But looking under the surface, it lends credence to the idea that IT professionals, whether consciously or not, simply accept that some attacks are inevitable. While the sentiment is realistic, there is a danger it could lead to complacency. 5
COMPLEXITY COMPLAINTS Perhaps the acceptance of inevitability is partly fueled by endpoint security products that respondents say have become too complex to easily manage. If solutions are too difficult to manage, it stands to reason that a sense of inevitability would start to creep in, especially if a breach is still fresh in your memory. 67% of participants complained about complexity and that number soars to 94% at companies that suffered a breach in the past year. Looking further back, that number begins to decline, with companies suffering a breach in the last two years coming in at 80% as compared to 70% for companies that were breached within the last three. Another concern has to do with the selection process itself. 86% of respondents say it s difficult to select the right endpoint solution for their organization, while 64% agree there is not enough differentiation between solutions, making it harder to make a clear decision between vendors. If that weren t problematic enough, the survey reveals a mismatch between features offered and what, exactly, is needed. 52% say endpoint security offers too many unnecessary features and the same number say solutions don t offer enough features to suit their specific needs. Interestingly, deployment isn t an issue for most survey participants, with 90% saying the tools are easy to deploy. Productivity, however, is a different story. 51% say endpoint security solutions hurt employee productivity. 6
Complexity Gets in the Way of Security 0 10 20 30 40 50 60 70 80 90 Endpoint security provides too many features I don t need Endpoint security slows down the productivity of my workforce MANAGED SERVICES Endpoint security solutoins have become too complex to easily manage Vendors offer many products and options (levels of protection, feature sets and add-ons) and it can be confusing to easily select the right endpoint security There is little differentiation between security vendors DISAGREE AGREE Whether it s too few differentiators between vendors or too many product options offered by each, IT admins struggle to make easy choices when it comes to endpoint security. More than half feel their solutions are bloated with features they don t need, too complex to manage and that their endpoint security solutions still slow down their workforce. 7
WHY SO CONFIDENT? As noted previously, the VIPRE survey indicates a significant level of confidence in organizations ability to defend against malware. For instance, a vast majority of respondents (89%) say their tools are adequate in defending against ransomware, zero-day attacks and other threats that evade traditional antivirus software. Such threats are the hardest to defend against because they cannot be detected by tools that rely on known malware signatures to do their work. Confidence is especially high at the largest organizations (351 to 500 employees), with 93% of those respondents saying their tools are adequate. And it is surprisingly high at organizations that have been breached recently 85% at companies breached in the past year and 88% at those breached in up to two years. Another measure of confidence is the fact that 77% of respondents feel they have a strong grasp over security because they have enough in-house resources to manage endpoint security and other security solutions. The percentage drops to 67% among the smallest companies but stands tall at 89% among the largest. The same pattern is reflected in budget size, with 87% at companies with budgets of $200,000 and above and 61% for those allocating $25,000 or less to endpoint security. We Got This 77 % of IT Admins believe they have a strong grasp over their security. 8
TRUMP S EFFECT ON SECURITY CONFIDENCE With the American electorate divided in their support for the new Trump administration, it should come as no surprise that when asked if U.S. cybersecurity will become easier under the new president, the split among IT managers seems to fall in line: 41 % think cybersecurity will become more difficult and 40% think the opposite. The rest see no change. For those at companies that suffered a breach in the past year, the level of confidence increases. In a show of confidence in the new administration, 59% of them say they think cybersecurity will be easier. 19% No Change 40% Less Difficult 41% More Difficult Early in President Trump s administration, IT Admins are split on whether his leadership will make cybersecurity easier or more difficult for small businesses. 9
PERSONAL GUARANTEES Perhaps the most telling of the survey findings regarding confidence is the personal guarantee that 83% of respondents would put on their company s security, two points higher than when they were asked this question two years ago. Curiously, the number among companies breached over the past year was even higher at 88%, all the way up to 100% among those breached in the last five. This suggests that those that have been struck have strengthened their defenses, unless they believe lightning doesn t strike twice, which is far from a certainty. IT professionals presumably are aware hackers will not hesitate to attack again if they believe they can gain from it. In some ransomware cases, attackers have even asked for money a second time. Cyber-Overconfidence 83 % of IT Admins would personally guarantee their company s customers that their data will be safe in 2017. That number rises to nearly 90% for respondents at businesses breached. Nevertheless, 53% of respondents would recommend negotiating after a ransomware attack. This is a sizable increase from a 2015 survey of IT security professionals, when only 30% said they would negotiate. The number in the new survey is especially high at 82% among those that have already suffered a cyber attack in the past year, indicating that those that have already been victimized tend to be more willing to negotiate. 10
PHISHING REMAINS A BIG CONCERN Phishing is one of the most pervasive cybersecurity threats and is often used to deliver ransomware. It works because hackers employ all variety of tricks to get victims to infect their machines by clicking on compromised URLs and email attachments. When IT managers have to remove malware from an executive s computer, most often, it has been delivered through phishing, as per 45% of those polled. The problem is worse at the larger companies, up to 56% of those with 351 to 500 employees. This shows hackers prefer to zero in on bigger targets but also will attack smaller companies when given the chance. Execs Under Attack 56 % of IT Admins at business with 351 to 500 employees report senior leadership falling victim to phishing attacks. 11
NEED FOR SCHOOLING Despite all the high-profile cyber attacks in recent years, IT professionals often are still called on remove malware from a computer or other device used by a member of your company s senior leadership team because they did something they should not have done. The biggest problem is phishing, according to 45% of respondents, which is especially vexing because it can t be defeated with technology alone. Organizations need to educate users about the phishing threat and train them not to click on suspicious URLs and attachments. Respondents also had to remove malware from visits to porn websites (26% down from a high of 56% in 2017), letting a family member use a companyowned device (22%), attaching an infect USB stick or phone to a PC (22%) and installing a malicious app (21%). On the bright side, a full 25% of respondents said they ve never been asked to remove malware caused from executives computers. Execs Causing Infection 0 10 20 30 40 50 Exec installed a malicious app Exec attached infected USB device to PC Exec let a family member use company PC that led to infection MANAGED SERVICES Exec visited an infected pornographic website Exec fell victim to phishing attack While the biggest culprit behind infected PCs used by executives appears to be phishing, IT Admins are still dealing with executives visiting infected pornographic websites, letting family members use work machines, installing malicious apps and connecting to infected USB devices. 12
CONCLUSION When it comes to endpoint security, it s clear education is needed not just to warn users about the danger but also regarding other aspects. For instance, focusing on price as the primary factor to choose a solution is misguided and could very well lead to overlooking more important features such as advanced malware detection. Forgoing needed security features because of price can put a company at risk, something that 28% of respondents admit. But the risk is almost certainly greater than that percentage would indicate. It s also clear that solution complexity is a problem and that s an issue for security solution vendors to address by making their products simple to select, deploy and manage. If administrators find the solutions too hard to manage, they could make mistakes that cause vulnerabilities even if they are confident in their ability to defend against malware attacks.
STUDY METHODOLOGY The independent blind survey of 253 US IT Managers and IT Directors working with companies with five to 500 employees was conducted by Opinion Matters on behalf of VIPRE in February and March 2017.
ABOUT VIPRE VIPRE is the highest-rated, award-winning internet security product for home users and businesses. It is powered by the world's most sophisticated security technologies that protect millions of users from today s top online threats, including ransomware, Zero-days and other malware that easily evades traditional antivirus. Backed by cutting-edge artificial intelligence, one of the world s largest threat intelligence clouds and real-time behavior monitoring, VIPRE deploys in minutes to deliver unmatched protection without slowing down PCs. All VIPRE customers receive free U.S.-based technical support. Simply the Best. VIPRE wins Top-Rated Security Product and consistently wins 100% block rates and zero false positivesfrom AV- Comparatives. 15