About 65% of the respondents admit to not taking all the steps they should, the survey found. "So they're vulnerable," Meinhardt said. "They're not taking the next steps to protect their own jobs."
But the guys on the front lines aren't as empowered as they should be either, say experts, particularly in medium-sized companies where IT workers tend to be generalists. When you take a generalist and expect them to handle a complex problem with a complex tool, something is going to fall through the cracks.
"These guys aren't security experts," Meinhardt said.
The 246 participants polled represented a wide range of IT functions, including hands-on professionals, team managers and business owners, with many participants indicating they had multiple roles within their organization.
Experts say the CIO is often the first executive to be called to task for any IT security violation, despite the fact that problems with security generally involve a number of departments. But the problem at many companies is executives don't know whom to blame because they haven't assigned responsibility for risk, experts say.
"In the midmarket world I would imagine that fear among the rank and file would exist -- that seems logical -- whether it's your only job or one of eight things you do, someone is responsible for keeping data security," said Jack Phillips, managing partner of the Institute for Applied Network Security in Boston.
Still, he said, he believes that everyone, for one reason or another, feels insecure about his or her job and what most will discover is that if the ax falls it won't necessarily be because of anything they did wrong. More often than not, it will be a "classic case of peeling back the onion until you get to the kernel," he said. In the event of a breach, "a lot of folks get implicated and then are vindicated when it's discovered that it wasn't really their fault. The focus of attention goes elsewhere." Bottom line: No one should lose sleep over this.
The anxiety on the part of IT workers really boils down to a lack of training and knowledge, said Rick Harrison, MIS Director for the City of Columbia, Tenn., located 45 miles south of Nashville. Population: 38,000.
"They've done everything they knew to do, but they don't have time to keep up," he said.
Moreover, while 87% of IT organizations are confident in their ability to deal with viruses, spam, spyware and malware, only 35% feel they are equipped to deal with lost corporate or personal data.
"You [make sure you] do your due diligence. But you can only go so far," said Harrison, who claims not to lose sleep over security. "I truly believe [that if there is] a hacker [intent on getting into your system] he'll get in regardless, and it will not be the fault of your IT department."
Plus, mistakes can happen, he said, and added the powers that be have to be reasonable and "allow a certain amount of room for being human."
Let us know what you think about the story; email: Kate Evans-Correia, News Director