Insider threat still leaving companies exposed

Companies are still leaving themselves exposed to security breaches by focusing on technology and not policies, according to a survey of major public and private sector users.

The third annual 'Information Security in the UK 2003' survey by consultancy Detica quizzed 140 FTSE 500 companies and major public sector organisations.

It found awareness of formal security procedures within companies has dropped from 82 per cent last year to 54 per cent this year. And 40 per cent said security investment is focused on technology, compared to 35 per cent who said it goes on policy.

David Porter, head of security and risk at Detica, told silicon.com that although internal and external threats both pose as much of a headache, resources are disproportionately spent on things like firewalls in an attempt to shore up the perimeter of the network.

"There's probably an equivalent threat on both sides but most resources are being spent on the external threat. They often take a prevention-centric approach pumping money into things like firewalls but what that won't do is keep out the insider threat."

On a brighter note for the public sector, the survey shows it is taking a better approach to IT security, with the commercial sector looking more to short-term ad hoc solutions as opposed to a strategic view.

Porter said: "The private sector seems to think that by buying technology they can tick the compliance box but technology is just there to implement procedures."

Awareness of the security standard BS7799 has dropped significantly with just two per cent of respondents looking for accreditation this year, while 57 per cent of IT directors are not even aware of it.

Porter said the cull of middle management in numerous firms through the 1990s had removed many checks and balances that allowed employees to perpetrate fraud by electronic means. Helpdesk staff, in particular, he said had access to lots of high-value information in various systems.