The importance of the human element in security has been highlighted at Infosecurity 2008 in London this week, with a government report showing incidents remain high despite overall improvements in controls.
The 2008 Information Security Breaches survey of 1,000 UK companies for the Department for Business, Enterprise and Regulatory Reform (BERR) shows 99% of firms back up critical systems and data, 98% scan for spyware, 95% scan e-mail for viruses, and 94% encrypt wireless network transmissions - but 45% still reported security incidents in the past year.
Martin Smith, chairman of training provider The Security Company, said the only way to bring this figure down was to match investment in technology with investment in security training for staff.
"Security is about both technology and people," he said. "If organisations do not bring their staff up to the same level as the security technology they have put in place, they are still leaving the front door wide open for attackers."
The BERR survey indicates UK companies are beginning to understand the importance of communication, with 55% claiming to have an information security policy in place, but Smith said that in reality, few companies were moving from raising awareness to changing behaviour.
Paul Simmonds, ICI's global information security director, told a Jericho Forum masterclass that technology was maturing, but people and process remained a problem.
"Implementing technology will never force change," he said.
Smith said companies had to make information security messages real and personal to reflect the role of each member of staff. Awareness needed to be measured to establish a baseline and then improvements should be tracked regularly.
He said the security industry was too product-focused because that was where the money was made, but it was high time organisations realised they needed to spend money in all areas.
"There is no technical fix for human error or stupidity, and there is no single product that will stop someone sending an unencrypted disc containing personal data through the post," said Smith.
Pound for pound, spending money on raising awareness and making security the responsibility of every member of staff was more effective in preventing breaches than ploughing more cash into security products, he said.
"Companies need to pay attention to where the problem is - the human element. IT people are convinced they can solve the problem with technology, but they will always be a step behind."