UK firms plagued by security dunces

UK organisations are failing to communicate the business importance of security policies to staff, according to a new survey, with most staff reporting that they regarded security as a technical issue. This situation is likely to lead to security breaches, warned the National Computing Centre (NCC), which published the survey results on Thursday.

The NCC, an independent research organisation with members that include universities, government bodies, small businesses and enterprises, said organisations' IT security culture is not keeping pace with their growing reliance on computing systems, with security breaches leading to financial losses and business disruption.

"IT managers need to convey this message in business terms, by highlighting the financial impact of information security failures," said NCC chief executive Michael Gough, in a statement. "The key issue here is raising the profile of information and IT security so that it is on the business agenda, not just the IT agenda."

About 80 per cent of UK organisations have a formal IT security policy, the NCC said. The survey found a direct relationship between the security awareness of top managers and that of the staff generally, suggesting that support from the upper echelons of management is necessary to create a strong IT security culture in the rest of the company.

Particular techniques of maintaining security awareness also appeared to make a difference, the NCC said. Organisations that used an ongoing, varied process to keep staff up to date on IT security issues reported the highest levels of staff awareness.

The group recommended that organisations take tough disciplinary action for internet abuse, encourage genuine management involvement in IT security issues and include IT security issues in senior management performance appraisals.

Matthew Broersma writes for ZDNet UK