Businesses are failing to implement effective security policies or to train their staff on the matter, according to a new report.
A survey of more than 700 security professionals found nearly half (48%) said there remained a lack of training and an unsupportive company culture around security.
Four out of five IT security professionals said their company was at least “satisfactory” in security, according to the research conducted by (ISC)2 and Infosec Europe 2009 survey.
Forty six percent said that in their companies, employees had a weak understanding of IT security policy.
Poorly defined accountability was also concern for 42% of security managers.
“The challenges are shifting from the systems to the people," saidJohn Colley, managing director Europe, Middle East and Africa at (ISC)2.
“Unfortunately, security requirements are not yet well understood, or worse flouted, often with management support, in order to get a job done.” Firms faced a “colossal task” tackling this problem, he said.
Of those that tried to educate employees on security, 56 percent said training or information was online, and 35 percent used an employee newsletter. Only a quarter trained staff in person.
The greatest security need highlighted by firms was a requirement to manage data, with 72 percent reporting they had a data classification policy.
In spite of the recession, only 22 percent said a lack of budget was hurting security and just 19 percent had trouble buying the latest security technology.
Most businesses - 63 percent – track whether the security policy are being followed. Six in 10 took action on employees who broke the policies.
Colley will discuss in-depth the survey findings during a presentation called “Are We Getting the Basics Right” at this year's Infosecurity Europe 2009, which will take place at Earls Court in London on 30 April.
Find your next job with computerworld UK jobs