According to the IT Security Study 2006 that was released last week, the median large organization – with annual revenue of more than $750 million – budgeted no more on IT security last year compared to 2004.
Meanwhile, the median small organization – with annual revenue of less than $250 million - increased spending by 3 percent and the median mid-size firm spent 2 percent more, the study revealed.
"Large companies tend to be laggards both in terms of IT security technology and security best practices most likely because of inertia," the study said. "Getting approval for new technology or changing management practices in larger organizations can be like turning an ocean liner."
The study polled 108 people in charge of IT security at their firms. Sectors represented included manufacturing, banking and finance and healthcare.
Overall, mid-size companies allot 3 percent of their budgets toward IT spending, compared to 2.1 percent for small firms and 2.5 percent for large organizations, the study said.
Just 21 percent of medium firms felt their IT security budget was inadequate to ensure security, compared to 41 percent of large companies and 47 percent of small organizations.
"IT security may be a hot topic, but that doesn't mean that management is willing to spend more money on it," said Frank Scavo, president of Computer Economics.
A majority of respondents also said their companies lacked proper security practices.
Sixty-five percent of respondents said their companies do not provide IT security training for employees, while more than two-thirds fail to perform regular system security audits, according to the survey.