When it comes to security, ignorance is bliss at the top

Europe's senior IT managers are adopting a heads-in-the sand approach to IT security, according to research from security firm Websense

European IT chiefs have revealed a shocking awareness of security threats — apparently favouring an 'ignorance is bliss' mentality which leaves them all highly confident about the state of their crumbling security.

Latest research reveals the majority of IT bosses are confident about their companies' security yet when drilling down through the findings we find a picture of disarray as companies lose track of laptops, remote access, the latest threats and the risk of employee wrong-doing.

According to findings released today, 99 percent of respondents said they are protected from threats while only three percent of European IT bosses believe they will never be 100 percent secure.

Furthermore not a single UK recipient doubts they will attain 100 percent secure status. Such findings seem more indicative of the fact they don't realise what the threats are rather than being evidence of them being on top of their risk.

Mark Murtagh, European technical director at Websense — a provider of Web filtering and Internet securtity services which commissioned the research — said it paints a worrying picture for companies.

"Perhaps the thing which causes the most concern is this is what they are reporting back to their board," he said. "We obviously still need a real wake-up call."

Eight percent of companies have no additional security in place beyond desktop antivirus and a firewall and many are being slow to react to the latest threats.

Despite it being an issue which has hit the headlines in a big way over the past 12 months spyware is still getting an easy ride, with 35 percent of companies having no protection of any kind in place.

And the ways in which spyware can get onto a machine continue to thrive with 56 percent of firms letting staff install and use peer-to-peer software — a common source of malicious code — and 43 percent of firms doing nothing to limit employee Web-surfing. Furthermore 62 percent of companies are doing nothing to limit staff access to phishing sites.

And if staff decide to turn on their company and steal data or access areas of the network they shouldn't, only 40 percent are equipped to identify them.

And when it comes to staff out and about on the move there appear to be huge holes through corporate security. More than two-thirds of UK IT bosses (68 percent) think laptops, which are taken home or used remotely and then plugged back into the network, pose a security risk and yet only a quarter (26 percent) are really doing anything about it. Almost the same amount (22 percent) believe staff installing peer-to-peer software, games or freeware for use at home poses no threat to the enterprise when that laptop come back within the security perimeter.

"Too many companies are leaving these matters in the hands of their employees," said Murtagh. "But you cannot rely upon the individual to take the necessary measures to protect their laptops and consequently the network."

More than two-thirds (69 percent) of respondents believe staff are responsible for how laptops are used when they are taken out of the office. Only 21 percent believe it is the responsibility of the IT department while six percent said they don't know who is responsible.

And while employees must play a part, history has shown users cannot be the only line of defence — especially while policy and education are still wanting. Around half the companies surveyed do not sign up staff to an Internet and email usage policy.

Other measures which should be taken are also being overlooked or undertaken too lightly.

Murtagh said thorough PC audits need to be undertaken — suggesting those who currently claim to do so may only be scratching the surface. While 40 percent of respondents claim to audit PCs every three to six months, Murtagh believes this may amount to little more than 'head count' — "how many have we got and what operating system are they running?".

"Companies need to seriously audit PCs and undertake full risk assessment. They need to understand how PCs are being used and what traffic they are generating," said Murtagh.

But it's unlikely change will happen quickly.

"I'd like to think if we did this survey again in six months I'd have some cause for optimism but there will still be a large number of companies who have failed to get a grip on their Internet security," said Murtagh.