Project procurement requests often include poorly defined security requirements, exposing firms to potential risks once systems go online, the study into information security consultants revealed.
"Unsophisticated buyers, unwilling to accept the cost and complexity of a properly secure solution for which they do not understand the need, often accept a simple, cheap alternative without realising the risk implications," the report said.
Feedback from service providers suggests that many businesses do not consider security when they outsource their IT, and some regard security as an unnecessary expense. As a result, businesses may be offered solutions from inexperienced IT service companies. Although they undercut more experienced suppliers, they fail to provide adequate security.
Although firms see no need for government regulation of IT security consultants, some expressed concerns about "cowboy" suppliers offering penetration testing services. Many felt that suppliers offering "noddy" services using common open source tools to identify product vulnerabilities, rather than doing a test specific to the target systems, give users a false sense of security.
The study found that most organisations buy security services from companies recommended to them or from known, trusted suppliers. But few organisations look at the qualifications of the consultants they hire - an issue which may need to be addressed by re-assessing the scope of professional security qualifications.
More needs to be done to educate small businesses and non-IT professionals about data security, the report said.