By Linda Tucci
IT executives at small and medium-sized businesses (SMBs) will spend a full percentage point more of their IT budgets on security in 2009 than 2008, according to a new study from Forrester Research Inc. The change will result from a shift in security strategy from computer security threat defense to corporate data protection.
That more closely mirrors the strategy at large companies, says Forrester's "The State of SMB Security: 2008-2009 ." For SMBs, which Forrester defines as companies with fewer than 1,000 employees, that means 10.1% of their IT spending will go toward IT security in 2009, compared with 9.1% in 2008.
"What was interesting in this survey was how similar the SMBs were to enterprises, in terms of their issues and objectives and even the pressures they are facing in finding people with the right skills," said Jonathan Penn, vice president, tech industry strategy -- security, at Cambridge, Mass.-based Forrester and author of the report.
Nearly 20% of the respondents plan to pilot or adopt a host intrusion prevention system (HIPS), file-level encryption, full disk/desktop encryption, endpoint control and data leak prevention in the next 12 months. The moves will almost double the use of these security technologies at SMBs.
Indeed, protecting the data assets of the business was the highest priority for both SMBs and enterprise companies, surpassing threats frequently cited in the past, like malware (ranked fifth of 11 security issues) and regulatory compliance (ranked 10th).
The No. 2 concern for both SMBs and enterprises was application security. It is perhaps not surprising that big companies with dedicated security staffs understand that application protection is an important component of managing risk, Penn said. The fact that the multitasking IT staffs at most SMBs not only share this concern but can also communicate it to upper management represents a shift in their approach to managing risk.
"More than half of SMBs said that management does view application security as a significant area of risk," Penn said. That's about the same number as respondents from enterprise-level companies. "That's a fairly sophisticated view."
The findings are based on responses from 1,206 SMB business and IT leaders and 942 enterprise respondents in a pair of surveys done in the third quarter of 2008.
The focus on data protection represents a "pretty healthy approach" to security, in Penn's view. Rather than following hackers' latest bag of tricks, IT executives are taking an asset-based approach, determining a company's most important data stores and building defenses around them
"There is a growing recognition that the focus should be on what the attacks are actually doing to business assets, rather than looking at the kind of attack, per se," Penn said.
Strong adoption of managed security services
When it comes to IT security technologies, the survey showed that -- similar to large enterprises -- SMBs are increasingly going to managed security services  to find specialized skills (31%) and to reduce costs (24%). Managed security services include email or Web content filtering, network firewall monitoring and vulnerability assessments. About half the SMBs already employ or plan to procure these technologies through managed services.
"We think of managed security services as something that people turn to just for cost savings," Penn said. "But we are seeing pretty strong adoption of managed security services across both SMBs and enterprises, and a lot of it has to do with the skills shortage. People are unable to find staff with the right skills, or in some cases, don't want people with those skills and find it just as effective to outsource it."
Endpoint security  is one area that will see strong growth, according to Forrester, as 14% of SMBs indicated that they plan to adopt or pilot services in this area. That's on top of the 19% currently using such services.
Other findings for the survey include:
* Some 58% of SMBs use personal firewalls 26% use HIPS  and another 19% plan to adopt it in the next year.
* One in five SMBs has a strong plan to pilot or adopt full disk encryption (18%), file-level encryption (18%) and endpoint application/device control (17%).
* One in four SMBs has adopted email encryption (26%), network storage encryption (23%) and data leak prevention (23%) -- more than any other data security technologies.
* In 2009, data leakage protection will see the most growth, with 20% of SMBs committed to piloting or adopting it in the next 12 months.
Security holes at SMBs
For Jerry Hodge, senior director of information services at Hamilton Beach Brands Inc., managing risk is a constant negotiation with the business. The midmarket company has all the enterprise-sized risks, including contending with the Sarbanes-Oxley and Health Insurance Portability and Accountability acts as well as Payment Card Industry regulations -- with a fraction of the resources.
Hodge said he hopes to free up some money this year to do quarterly security assessments to get a better handle on vulnerability. Hodge also reorganized his infrastructure team and gave it a new name -- the infrastructure, security and compliance group -- to better address his risk strategy. But money is tight. "We are looking to do more with the same dollars," he said.
Indeed, cost and business justification for data security remain a huge challenge for the majority (54%) of SMBs in plotting their security strategy, the survey showed. But Penn said this year's survey results also indicate a growing awareness of security as a business issue.
"I don't think that the business yet sees security as a business enabler, but they do see that bad security can be significant business risk," he said.