Only 11 percent of the IT security professionals from 20 countries who were polled at the recent E-Crime Congress in London argued that external threats, such as hackers and organized cyber-crime, pose a bigger issue.
Despite the consensus that employees posed the highest security risk, only ten percent of respondents thought that employees were responsible for a web-security breach. The majority, 74 percent, felt the board of directors was ultimately accountable, while 21 percent felt the responsibility lay within the IT department.
Some 44 percent of respondents weighed the risks between "internal" and "external" threats equally.
Furthermore, 74 percent of respondents to the poll, which was commissioned by security firm Websense, felt that legislation to protect against e-crime attacks has been inadequate. For example, 64 percent of the respondents called for stronger legislation. Furthermore, more than 60 percent believed legislation to be unenforceable. Reasons cited include lack of law-enforcement resources (46 percent); lack of co-operation across jurisdictions (38 percent); breaches not being reported (28 percent) and legislation not being specific enough (28 percent).
The survey also exposed the fact that only eight percent of respondents felt the "average" company takes a proactive approach to security - with over half (59 percent) reporting that companies were only reactive.
Interestingly, respondents surveyed felt that compliance legislation, such as Basel II and the Sarbanes-Oxley Act, has played a positive role in driving security spend and implementation (74 percent).
"With so many attacks from the outside, it's easy to forget that security can be breached within the four walls of your own company. The 'threat from within' is more often than not completely unintentional, and employees are breaching security unwittingly. Today's cyber-crime tactics are socially engineered to look real, and unsuspecting users within an organization can easily be duped, said Mark Murtagh, director of technical support for Websense.
"With the board of directors ultimately held accountable for web security breaches, it's important for companies to have robust policies that automate processes for all employees. So, whilst definitive responsibility lies in the hands of the board they must ensure that their business is not left vulnerable to the keystrokes of employees."