Untrained users highlighted as security risks

The study, conducted by a consortium, led by PricewaterhouseCoopers, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR), found that firms are placing greater trust in their staff.

Seven out of eight firms now have information security policies in place according to newly released findings from the annual Information Security Breaches Survey (ISBS). Those policies are loosening controls over users.

Fifty four percent said they allow staff to remotely access systems – a rise of 19 percent from last year's study – while the number of businesses restricting internet access to some staff only has nearly halved from 42 percent to 24 percent.

Training staff in security basics is an essential part of any information security strategy, argued Martin Smith, chief executive of The Security Company. "The industry is dominated by technology and technologists … but I've never seen a computer commit a crime, it's always people," he argued.

Smith added that long term behavioural change programmes are the best way to mitigate risk in this area, but most firms are unable to find budget to support such initiatives because "they're hard work and fairly intense"

The importance of security awareness was also highlighted in new figures from security certifications organisation ISC2. The 2008 ISC2 Global Information Workforce Study, set for full release in April, asked 6,523 certified professionals about the importance of certain skills. It found that 90 percent said a good understanding of security and communication skills are the most important.