Kaspersky’s latest IT Security Economics Report 2024 reveals intriguing disparities in IT security staffing and products deployment across organizations of varying sizes. As anticipated larger enterprises have more IT and IT security staff, as well as a greater number of solutions under management. However, they benefit from significant economies of scale, resulting in a lower ratio of IT security specialists. Small and medium-sized businesses (SMBs), meanwhile, face disproportionately higher costs in their fight against cybercrime.

Company size Total IT staff IT security specialists Average number of solutions Ratio of IT sec staff to overall IT staff
Large enterprises 105 23 15 22%
SMBs 12 4 9 33%

Large enterprises face increasing complexity

The data reveals that enterprises manage (on average) 15 complex and often costly security solutions with 23 IT security specialists. These specialists, though qualified, frequently perform manual tasks and face with numerous routine processes.

Organizations experience several pressing cybersecurity challenges. Qualified specialists are in short supply, which on its own is a challenge, but it also results in higher wage demands. While data duplication across systems further complicates security operations and siloed telemetry prevents the seamless correlation of critical security data, leaving gaps in threat detection. Cybersecurity teams can become overwhelmed by a constant flood of alerts and false positives, making it harder to identify genuine threats.

Compounding these issues, security professionals often lack the time to conduct in-depth investigations, as their efforts are consumed by managing multiple, disparate security solutions. As a result, large enterprises become increasingly vulnerable to sophisticated Advanced Persistent Threats (APTs) and complex, human-driven cyberattacks.

To overcome these challenges Kaspersky recommends organizations consolidate their disparate cybersecurity solutions or implement advanced, all-encompassing products that can correlate telemetry from different sources. This is achievable with Extended Detection and Response (XDR) solutions, for instance.

SMBs face unique challenges
With an average of nine security solutions that often provide only basic functionality and just four specialists managing standard processes and well-known threats, SMBs face unique cybersecurity challenges.
A major issue is the need for more qualified information security professionals. Additionally, limited time and resources mean that continuous security awareness training and staff education can be neglected, increasing the risk of data leaks caused by employees who may unknowingly aid cyber adversaries. The development and enforcement of security policies also suffer due to resource constraints, while financial limitations prevent SMBs from investing in more advanced security solutions and the skilled personnel required to manage them.
To address these challenges, SMBs can benefit from outsourcing complex security tasks to experienced teams, such as Managed Service Providers (MSPs) or Managed Security Service Providers (MSSPs). This approach is typically more cost-effective than maintaining a dedicated in-house security team. Additionally, organizations should prioritize ongoing cybersecurity training for all employees, not just IT and security personnel but also general staff, to foster a culture of security awareness and reduce human-related vulnerabilities. Adopting a managed security service like Kaspersky Managed Detection and Response can provide advanced automated security services and real-time analysis of corporate data, 24/7, helping protect against sophisticated cyberattacks, even in the absence of dedicated security personnel.
Additionally, transforming your workforce into an extra layer of protection against human-related cyberattacks is crucial. Solutions that aim at raising security awareness instill safe internet behavior among employees, including simulated phishing attack exercises to teach staff how to recognize phishing emails and other socially engineered lures.

While larger enterprises benefit from economies of scale, the proportional investment in IT security is higher in smaller organizations. This underscores the need for tailored security strategies that address the unique challenges faced by businesses of all sizes.