Those whom wish you ill or would gladly steal from you care little about the global economic downturn. They are not sending out fewer exploits as attachments to spam, they have not stopped looking for ways to transfer money from your bank account or use your office PC’s as zombies. When money is tight you need to defend yourself intelligently. Your number one priority should be keeping your software patched. Your second priority should be scanning any externally facing web applications for common vulnerabilities. If you don’t have the skills, hire someone who does. Finally, take the time to educate your employees on safe computing practices. Again, If you lack the skill bring in a professional trainer.
How secure is your company? Are you spending too much or not enough on security? How would you know? We don’t have a 1,000 years of statistical data to build orderly models with nice normal distributions (if in fact this is the underlying distribution, most likely not.)
Much of what is spent is to fix an irritation or meet a regulation. I know a company that first introduced anti-virus into the enterprise because the CEO was angry at all the emails that filled his inbox due to an email virus. In this case it was purely reactive. When I was a senior security analyst inside a large multinational, we are able to go three straight years without a worm or email virus getting into our network. This was at a time when Microsoft vulnerabilities were a constant cascade and Microsoft responded to everything released on bugtraq like it was a malicious lie. We managed this on a relatively small budget and a user base with admin access over their local machines. It is possible to have tight security without spending a fortune. Despite this, I knew we were not spending enough on security because we had little to no defense against the insider threat. The best defense against the insider threat is an ethical corporate culture and good hiring practices, an area often overlooked. Of the triad in security, prevention, detection and clean up, prevention is frequently the most expensive when using technology. Prevention is a lot cheaper if you don’t hire losers in the first place or you don’t build up resentment by stealing from your employees with understaffed teams, overworked associates and no bonuses except for the C suite.
At this point lacking a wealth of statistical data, most companies can’t say if they are spending too little or too much unless they ask an outside expert. If they ask the question inside the company, they will most likely get the answer weighted for self preservation, if they are asking at all.