Lax security a result of poor policy making

UK business is failing to make even the first step towards security, according to a study released by the Department of Trade and Industry this week, but the remedy may not be as straightforward as people think.

The DTI survey found only 25 per cent of UK companies have a security policy in place. Such a policy is vital to tell users what they can and cannot do with their machines. Without this most basic step other security measures are likely to be ineffective.

However, the security industry has now acknowledged that security policies are too complicated for IT managers because they require constant updating to reflect the changing nature of a company's IT infrastructure.

David Hofacker, UK country manager for a software company Extended Systems, said: "The figures from the study are not a surprise because security policy is a very difficult thing to write and maintain. IT managers are struggling to update the policies because things change so fast and they have their hands full."

Jason Holloway, UK managing director of Finnish security company F-secure, said: "Security policies should be constantly re-written, not just be over and done with. Companies should invest money on getting it done properly and if they cannot do it in-house, they should get someone else to do it."

Dag Ströman, technical consultant at RSA Security, said vendors cannot write the policies for IT departments: "It's a bit like buying a car. They come with manuals but no-one can ensure safe driving except the driver."