Fortune 1000 Hot and Cold on NAC

Fortune 1000 companies are sending mixed messages about Network Access Control (NAC) technology through their purchasing and implementation practices. Twenty-two percent will spend more than $500,000 on NAC this year, while only 12 percent spent more than that amount in 2006, according to a survey by TheInfoPro (TIP), an independent research company. And, TIP reports, "NAC, in all of its variations appears to have the largest net positive planned spending increases projected for 2008, keeping NAC as the #1 Network Security technology on the Information Security Technology Heat Index, which gauges the immediacy of end user needs and then weights them against spending."

Sounds like a healthy technology segment, right? But before you go out and buy those Cisco Systems or Juniper Network shares, you might want to know that fewer companies are implementing NAC today (26 percent) than were doing so in 2006 (30 percent) or in 2005 (35 percent). And a whopping 53 percent today have no plans or only long-term plans to implement NAC, compared with 35 percent in 2005.

TIP has an explanation for why the Fortune 1000 aren't deploying NAC. The research company revealed that survey respondents said that NAC hasn't lived up to its promise and isn't delivering the ROI they expected. TIP cited one respondent comment as expressing the mood of the moment: "We had plans to deploy it, but the technology is just not ready yet. We are not sure what the specific problems are, but all I can say is that it is not ready."

What I'm wondering is, if companies are spending on NAC but aren't deploying it, where is all the NAC money going? There must be a lot of NAC equipment sitting in test environments. One more survey tidbit: As you might expect, Cisco is way ahead among the NAC vendors from which companies have purchased or plan to purchase NAC technology. Symantec, Juniper, and Microsoft have significant but much smaller pieces of the pie, and many other vendors were mentioned. To see (and hear) a presentation of the TIP survey findings, go to http://www.brainshark.com/theinfopro/infosec-pr3.

SMBs Struggling with Security

While the Fortune 1000 ponder the latest NAC technologies, small-to-midsized businesses (SMBs) struggle to implement basic protection against Internet-based and other threats with limited budgets and staff. Webroot Software, which sells antispyware and antivirus solutions, surveyed companies with five to 999 computers in the United States, Canada, the United Kingdom, France, Germany, and Japan.

The Webroot State of Internet Security: Protecting Small and Medium Businesses report presents a pretty sobering picture. It first cites outside research to demonstrate that SMBs play a large role in the world economy in terms of both revenue produced and workers employed. The report then uses a combination of Webroot's own survey findings and other research to show that SMBs are vulnerable in a number of areas.

One survey finding struck me as especially telling: SMBs operate with shoestring IT staffs. In the UK, Germany, and Japan, more than 50 percent of the respondents said their company had two or fewer IT staff members. The US, Canada, and France are better staffed, with 30 percent, 38 percent, and 47 percent, respectively, reporting only two or fewer IT people. Still, the majority of companies—with the US at 57 percent, Canada at 69 percent, and the other countries all at 75 percent or higher—had fewer than ten IT staff. It's not hard to imagine why many of these companies don't have policies governing employees' downloading of music or personal use of the Web and email—IT staff are juggling too many responsibilities to focus adequate attention on security policies.

The State of Internet Security report has lots more interesting information and suggestions about how SMBs can improve their security. You can download the report and Webroot's Guide to Security for Small and Medium Business from the Webroot Web site after filling out a short registration form.