Forget hackers, software bugs or disgruntled employers. More than half of senior IT security managers think that their own IT departments pose the biggest threat to IT security, according to a survey by UK-based security consultancy Defcom.

Defcom found that more than two-thirds of security managers feel that their IT staff do not have the required skills to tackle the growing spectrum of security threats that can wreak havoc with IT systems. But of these managers, only one-tenth said that malicious hackers, who launch attacks such as the Code Red distributed denial of service attacks that hit thousands of servers in mid-2001, are the biggest threat to their IT security.

A much greater threat comes from IT staff, who inadvertently create security vulnerabilities when they upgrade systems or try to integrate new applications into a core infrastructure of software and systems.

Nearly three-quarters of senior IT managers are also reviewing access to their corporate premises and computers, as well as performing the arduous task of monitoring their IT infrastructure for attacks such as destructive computer viruses, or selfpropagating worms.

In the past, facility or office managers have managed a building’s physical security. But many companies have now delegated this task to IT managers because they consider the issue of ‘social engineering’ – where unauthorised people try to enter a building by posing as a legitimate employee so they can get access to its systems to be a serious threat.

When problems do occur, nine-tenths of IT managers responded that they would rather report to a chief risk officer than to a chief financial officer or finance director. After all, doing so could place next year’s IT budget on the line.