What is the steepest financial investment that companies make to protect themselves? I might have said expensive firewalls or intrusion detecting systems, or perhaps proprietary auditing software. On the contrary, it seems the biggest cost is anti-virus software. Not only is it the largest single expense, but it is quickly becoming the majority expense as well, with Gartner claiming it'll go over 50% of the average security budget.
Perhaps such a huge focus on preventing or removing infections is worth backing it with such a large portion of funds, though spending half of what you have just on anti-virus seems odd to me. On the other hand, anti-virus makes a presence at many stages of a network. You'll have anti-virus running on a mail server, scanning all inbound and outbound mail. You'll have it on each individual workstation, scanning as people work. You'll have it on fileservers and perhaps even on middleman devices, sniffing traffic for malicious content.
What would be more interesting than seeing where money goes, however, is seeing where the infections are coming from. Are most of them coming via e-mail, or is it more likely a workstation is infected by someone plugging in a thumbdrive from home or installing rogue software on their own?