Security: It's 'wise up' or 'sack all your staff' time

Many small companies in the UK are despairing at the part their employees are playing in security breaches - yet too few are taking appropriate action to stop them.

Among small to medium-sized enterprises (SMEs), end-user error is still perceived as the highest risk to the business and while many have policies in place to crack down on this threat too few are enforcing them, according to research conducted by the IOD with its members.

In total 50 per cent of businesses cited their staff as the biggest threat with issues ranging from the naïve, such as opening an infected email, to the malicious - data theft, for example.

The vast majority of firms (88 per cent) recognise that download and peer-to-peer services present a risk to their business and three-quarters (75 per cent) have policies in place warning against using services such as Kazaa or instant messaging applications. However, despite such policies, 66 per cent of respondent acknowledged that it still goes on within their organisation - proving that company rules are either ineffectively enforced or simply ignored.

Among the other actions cited by respondents to the survey were practices such as employees deactivating security software.

Sal Viveros, SME director at McAfee, believes this is often due to an "I know better" culture with employees who think they are above security policies. Many may also be disabling software to run non-work-related applications, or use USB gadgets, for example.

But companies are also doing too little to help themselves against the accidental or wilful actions of their workers. The survey found that eight per cent of small businesses still have no desktop antivirus software - the most basic of all protections.

Viveros said it is "shocking that employees can still pose such a threat to companies after so many years."

"It seems companies are still willing to take a risk," he added, addressing the sometimes patchy security in place within small companies.

Viveros also believes a lack of authority on the part of the IT department plays a major part, with staff unlikely to heed verbal or written warnings from their techies. And that is when there is even an IT department to talk of.

"Often in small companies there isn't a dedicated IT department managing issues such as security. Often it is just an individual who may have no expertise that gets charged with the job of looking after IT," said Viveros.

"That guy may not understand the challenges and may be trying to balance all kinds of issues and budgets - especially in a company that isn't taking security seriously. He's going to find himself thinking 'do we get some protection from spam?', for example, or 'do we buy a new PC for the person who's just started?'."

Such decisions, poor levels of understanding and budgetary constraints appear to still be dogging small businesses but in the short term Viveros believes a lot of damage can be limited by properly educating staff about the threats facing the company's network and the role they could play in launching an attack.