Businesses that don't take full advantage of their security software are wasting money and facilitating the hackers seeking access to their payment data.
Even though organizations are spending more on security, nearly 30% admit to not getting the full value of their security-related software investments, Trustwave said in a new report.
"There is this notion that you can buy a security product to solve a problem, like a one-time purchase or one-time event," said Greg Rosenberg, security engineer at Trustwave. "But that's not how security works."
Trustwave, through Osterman Research, asked 172 information technology professionals at small to mid-sized businesses in November about the resource challenges they face regarding security. The Chicago-based vendor compiled information for the "Security on the Shelf" report it will release next week.
Respondents represented enterprise organizations of more than 1,000 employees and smaller businesses of less than 1,000 employees, establishing a median of 1,150 Internet users. One of those organizations said that 60% of its security software remains unused.
Organizations spent $115 per user for security software in 2014, but $33 of the investment was either underutilized or never used at all. Thus, an organization of 500 users would waste more than $16,000 of its security investment.
This is particularly troubling, considering the $115 per user represents a 44% increase over the $80 spent in 2013, the report added.
"This is our first time trying to quantify this and wrap a dollar number around it," Rosenberg said.
And it may even be a bigger problem than the research says it is.
"People are telling us this is a problem, but how many are going to admit they are not really taking advantage of a security software, especially if they were the ones who purchased it?" Rosenberg asks. "You have to skew the numbers higher than what was reported."
A common theme when studying security weakness is that IT teams do not have enough time to fully implement and monitor the security software they use. Instead, these teams spend much of their time on password resets and basic troubleshooting, Rosenberg said.
However, a lack of understanding current security threats is not an issue for IT teams. The report indicates IT teams are generally well aware of emerging attacks, but often lack the personnel needed to guard against them.