There are many potential threats to an organisation’s IT security. The threat of an organised criminal network initiating a security attack on a UK business often makes headline news, but what about the sources of IT security breaches that don’t make the papers – those that come from the businesses own employees?

From leaving log-ins and passwords taped to computer monitors, accessing instant messaging (IM) services on company computers, or opening spam messages containing Trojans and viruses, these seemingly innocuous actions can lead to a severe breach of an organisation’s IT security.

A recent Department of Trade and Industry (DTI) Information Security Breaches survey, for example, revealed that in 52% of large businesses, the most severe security breaches were caused by people within that organisation.

But rather than malicious intent, experts have blamed ignorance and poor training for the growing insider threat. Recent research from YouGov found that, although 28% of employees used an instant messaging (IM) application at least once a week, most were unaware of the risks posed by their behaviour.

And there have been numerous surveys that have shown that people will divulge sensitive password information for as little as a free chocolate bar or ballpoint pen without realising the potential consequences, while still others reveal that employees continue to use nicknames and names of their loved ones or pets as their secure log-in and password.

Yet despite this, the DTI survey found that, while the average UK company spends 4-5% of its IT budget on information security – and one fifth spent less than 1% of their IT budget on security – still one in eight organisations does nothing to educate staff about their security responsibilities.

A balanced approach to IT security should, therefore, include not only security technology but also a comprehensive set of security policies that employees can both understand and keep to.

Policy documents cover issues such as acceptable use of hardware and electronic communications and set out exactly what is expected of staff – what they can and can’t do – and need to be regularly updated as both technology and employee requirements change.

British and international standards, including BS 7799 and ISO 27001, can provide some guidance on what to include and how to approach implementing and enforcing a company-wide security policy.

BS 7799, for example, does not go into technical detail on how to implement firewalls or protect against virus attacks. Its focus is on managing security and it provides a checklist of objectives that each organisation should achieve in their security processes.

Even though the DTI survey found that uptake of the standard had been ‘disappointing’, with just one in ten businesses surveyed aware of its contents, many businesses find the guidelines useful as a foundation to their own security policies and are using the parts that are most relevant to them.

ISO 27001, the international standard for Information Security Management Systems, can also provide useful guidance when putting together a security policy as, to comply with the standard, an organisation has to develop and implement a framework to ensure its IT systems and data are managed in a secure way.

Once the security policy has been devised, it needs to be implemented and enforced. A common failing among many businesses, however, is to devise and announce the introduction of a security policy with great fanfare, but then allow it to fade into the background by not subsequently reinforcing and updating it.

An effective way to manage IT security and ensure policies are adhered to is through the appointment of an IT security manager, something that almost half of respondents to the Information Age Effective IT Survey 2006 have done. Of those that appointed an IT security manager, 75% found them to be very or most effective and had seen an improvement in IT security service levels.

As well as implementing security technologies to fight external and internal breaches, it should be part of the IT security manager’s remit to provide education on company security policies and remind staff of their security responsibilities.

While it is possible to introduce monitoring packages, such as content filtering of inappropriate websites, systems that prevent to use of peer-to-peer file sharing applications and scanning emails for potentially harmful viruses most analysts agree, however, that these packages are no substitute for effectively managing staff compliance through training and awareness.

Although some analysts believe making a security policy personal to your staff will lead to them policing it and creating a secure working environment, others advocate a zero-tolerance approach to breaches, even to the extent of making an example of staff that go against company policy.

And with greater awareness of the potential consequences of their own actions, perhaps the biggest threat to an organisation’s IT security will start to be those faceless criminal networks, and not the organisation’s own employees.