Half of UK security managers are concerned about end-users' lack of security awareness, a survey has revealed.
In a poll of more than 700 security professionals, the biggest concerns were a lack of training (48%), an unsupportive company culture (48%), poor employee understanding of policy (46%) and a lack of defined accountability (42%).
Concerns about these obstacles to security compliance are significantly higher than traditional concerns, said the report on the joint (ISC)2 and Infosec Europe 2009 survey.
Only 22% said they are concerned about a lack of budget and 19% said they are concerned about the ability to procure the latest technology.
"The challenges are shifting from the systems to people," said John Colley, EMEA managing director for (ISC)2.
The relatively low concern about budgets suggests security continues to be viewed as a business imperative, even in the current economic climate, he said.
According to Colley, businesses have a huge task ahead to ensure employees understand what is expected of them in terms of IT security and why. "Unfortunately, security requirement are not yet well understood, or worse flouted, often with management support to get the job done," he said.
The survey found that although 60% said there were punitive consequences for non-compliance with security policy, only 2% felt those sanctions were understood by everyone.
According to Colley, many organisations are still in the early stages of improving security awareness.
"The generic programme delivered by the company intranet cannot be adequate, because one size does not necessary fit all," he said.
Colley is to give a presentation on getting the basics of security right at Infosecurity Europe 2009 at Earls Court in London on 30 April.