Less than half of UK companies are ready to comply with information security measures such as the Payment Card Industry's Data Security Standard (PCI DSS) and the Markets in Financial Instruments Directive (Mifid), according to a survey of more than 200 chief information security officers.
The survey, by EMedia for enterprise security supplier NetIQ, showed that most company boards were "paying lip service" to IT security despite, in some cases, being personally liable for damages due to non-compliance.
The least-prepared are medium to large companies, said Ulrich Weigel, NetIQ's chief security strategist. "They believe the chances of being caught non-complying are very small," he said.
Very large firms are generally well up on the matter, and most compliance regulators felt very small firms had less significant transaction volumes, he said.
Weigel said in Germany the chance of being singled out for a tax audit was about 2%. "Companies are taking a similar risk management approach to compliance with PCI and Mifid, and all the other compliance standards."
The survey, which covered banking, insurance, retail and manufacturing firms, found that nearly 60% of staff did not understand the legislation that affected their business. However, 70% still felt that their security policies were closely aligned with their business objectives and risk areas.
Weigel said they could fix this anomaly using well-thought out security policies and procedures. "Information security is not an IT project," he said. "Firms need to start small and design security into their corporate processes. If they then incentivise secure behaviour, security will become part of the firm's cultural DNA."