If you are an IT manager in a mid-sized organization, a service provider to this space, or a journalist looking to educate SMB readers about the costs associated with security threats, I think the “Security Paradox,” just issued by McAfee’s Mid-Size Business team, should be on your “must read” list.

This study, conducted by MSI International, a global market research organization, affirmed some of what we knew, revealed a lot we didn’t know, and showed us how wrong we were on a lot of fronts.

First, where we were wrong – I was surprised at how much companies spend around the world in remediation after a cyber attack or security incident. Given the protections available today and the focus on “best practices” in security, I would have thought only a minority of organizations actually suffered costly attacks – I was so wrong. The worldwide average was over $40k, with China and the United States responding with almost $200K and $75K annually, respectively – and these are averages, so the costs for some ran into the hundreds of thousands.

I was also surprised with how evenly distributed the costs were associated with the various “threat vectors” the study considered (the study focused on email, web, endpoint, network and data loss attacks).  This study found that, while the number of incidents a company experienced might differ, as do the costs of remediating those respective attacks, the total cost of remediation in each of these five “threat vectors” was amazingly similar – varying by less than 20% from one threat type to another.

The study also showed us that the “easy stuff,” the threat types we thought we’d controlled long ago, were still alive, well, and painful. In fact, the most common “threat vectors,” both in terms of the number of incidents and in the related cost of remediation, were basic endpoint and email incidents – malware, spyware, and email-spawned attacks. Check out the new McAfee Threat Report to get the latest stats straight from the researchers at McAfee Labs.

So, what do we conclude about the things we didn’t know? First, we’ve got to do a better job of getting mid-sized organizations secured. These companies are crying out for help, and we’ve got to respond with products that are easy to use and offer deep protection. We’ve got to make widely available security management “best practices” and provide the means by which mid-sized companies can take advantage of them.

Next, we’ve got to do a better job of educating this customer segment on managing to a broader portfolio of threats.

The reality is that protection is only effective if it is balanced across the broad array of the security threats these companies face, and they are not truly safe and secure until they secured across all “threat vectors.”

More on the Paradox Report soon… but if you have three minutes, take a look at the Secure in 15 video and tell me what you think.