UK IT departments are poorly prepared to deal with terrorist attacks or viruses getting past their software defences, according to new BCS research.
Less than 50% of IT departments have formal procedures for dealing with threats such as a bomb or a fire, and only 33% have a plan if a virus beats their anti-virus software, according to the study by the BCS and Henley Management College.
Even though 91% of senior IT managers questioned have security policies in place to avoid or reduce threats, only a minority have contingency plans if policies are breached.
Attacks from within are still seen as the biggest threat to IT security: internal fraud and abuse are rated as a high or medium threat by 72% of IT managers.
Just under 40% see breaches of confidentiality as the main risk to corporate data, compared to, for example, the 20% who think the main risk is service failures.
The research suggests that better education of staff is needed: only 50% of managers believe that a security culture is fostered in their organisation, and they feel that low priority is given to promoting such a culture through education and training. Just over 40% of organisations provide IT security training, and 26% recruit IT security professionals.
In addition, company boards show varying levels of interest in IT security. Only 33% of IT managers feel that their board takes an interest in IT security, and they think security is more likely to be seen by top management as an operational issue.
"This study shows that most UK companies are still failing to fully address IT security risks," said David Clarke, chief executive of the BCS.
"The respondents' biggest concern was confidentiality and internal fraud, so it is clear that spending more money on technology is not always necessary. Appropriate investments need to be made in expertise and training to encourage greater awareness of potential risks to IT systems."
Read more on IT risk management
Security Think Tank: Understanding risk key to security balance
UK government announces Cyber Crime Reduction Partnership
Security Think Tank: What are the risks associated with social-media use, and who owns these risks?
Responsibility for security of end-point devices must be shared across the business