Biggest security headache just won't go away...

For all the technology on display at InfoSecurity Europe this week it seems the biggest problem plaguing IT directors is still the largely non-technical issue of end-users and their ability to undermine even the most robust security.

According to a silicon.com poll, employees represent the biggest single threat to any company. And while temps have often come in for stick because of the threat more nomadic staff can pose, one attendee at InfoSec said it is the sales team, with their eye on business critical data, that really need to be watched - if only for their own sake.

Employee error was cited by 17.2 per cent of respondents as the biggest threat while malicious employee activity was cited by 13.1 per cent - meaning almost a third of respondents fear the activity, whether intentional or not, of their staff.

Spyware was next up, cited by 27.8 per cent of respondents, with viruses being cited by 20.5 per cent, followed by phishing (11.3 per cent) and hacking (10.5 per cent).

Separate research from Unisys reveals that 51 per cent of security managers believe negligent or malicious employees are a significant threat to their business.

Mark Thomas, head of security at Logicalis, told silicon.com: "One of the biggest problems is that everybody comes into a company on day one, signs the email and internet usage policy and that's the last they think about it."

Many companies have made a rod for their own backs by turning a blind eye to many behaviours which are technically in breach of the rules, he added.

And he believes the problem is out of control, with a raft of consumer gadgets and portable storage devices travelling in and out of organisations each day and staff making free with email, IM and their internet access and storing illegal copyrighted files on the network.

"If you walked out of your office four years ago with a 40Gb hard drive under your arm you would be arrested but that's exactly what people are doing every day."

The problem, especially where companies losing track of their data is concerned, isn't helped by the form factor of increasingly scaled down storage devices.

"The mediums are almost impossible to control and they will continue to grow in numbers. So companies have to secure their data."

The far and wide distribution of data outside the organisation also creates problems, said Gary Clark, VP EMEA at encryption specialist SafeNet. The more well-travelled data becomes, on phones, laptops, handhelds, over networks, site to site and on portable storage devices, the greater the chance it will be lost or stolen along the way.

But before implementing any measures which will change and limit the way employees can interact with data within the organisation, companies need to make sure staff know why they are doing it, said Logicalis' Thomas.

"They need to say, we're not doing this because we're being Big Brother. They need to convey the message as to why security is important and they need to get people to buy in to this."

Thomas added that companies could do worse than start with their sales team. Often the sales team will include the biggest gadget fans who act as their own administrator, he said. They are also frequently the ones with most direct access to business critical data which can be compromised either accidentally or maliciously.

"It's the sales guys you need to watch, you need to know if they're emailing all your sales lists to their Hotmail accounts."