IT security is a priority for less than a quarter (23%) of UK
businesses with fewer than 250 employees, a survey has
revealed.
More than a third (37%) of the 269 IT professionals polled said
IT security was an area of minimal investment or one that could be
cut if necessary.
Most of these organisations are choosing instead to invest in IT
infrastructure in sharp contrast to general trends, according to
the
survey report by Redshift Research.
IT decision-makers at small and medium sized enterprises (SMEs)
in the UK continue to underestimate the security required to
protect corporate data, the report said.
SME's are paying relatively little attention to threats from
data theft by employees, the survey found.
More than three quarters (78%) regard external threats as more
important, with only half expressing concern about internal
threats.
The biggest concerns are virus attacks (88%), accidental data
corruption (87%) and spam (77%).
Only 55% are concerned about viruses being introduced by USB
sticks and 59% are concerned about staff losing USB sticks
containing sensitive information.
Most SMEs do not realise that employees could walk away will all
the company data on a USB stick, said Walter Scott, chief executive
of security firm
GFI Software, which commissioned the survey.
The majority of SMEs are also failing to protect themselves with
written IT security policies that are signed by employees.
Some 60% of organisations said they either have no policy to
regulate access to the network by portable devices or have only
informal guidelines in place.
Two of the main contributory factors, said Scott, are that
unlike larger enterprises, SMEs have less exposure to governance
frameworks such as Cobit and there is a greater level of trust.
"In larger organisations mangers are less likely to know each
employee personally and are, therefore, more likely to put
governance structures in place," he said.
Almost all companies surveyed use basic IT security measures
such as anti-virus software, but relatively few manage portable
memory device access to networks (45%), use network event logging
software (55%) or web filtering (61%).
"There is a pervasive indifference towards monitoring the
whereabouts of data and its ability to be accessed or copied," said
Scott.
A third of respondents said they could not track what portable
devices have been connected to the network, 41% did not know what
data is downloaded to these devices and 21% had no ability to track
where business-critical data is stored.
"This lack of insight into the emerging internal threat has left
these organisations woefully lacking in key areas of security," the
report said.