IT departments can end up being the whipping boy for security breaches if they don't drive a cultural change within their organization, IDC warned last week.

Senior IT management analyst Peter Hind said security goes beyond the IT department and senior business executives need to take responsibility for threats.

"The challenge of information security in business today is cultural change," he said.

"IT people are taking ownership of this task, but we cannot let business abdicate responsibility in this area.

"Unless you can get business to take charge of this, IT faces the risk of being the whipping boy for these problems."

Hind said there is no technology solution that can act as a silver bullet which is why cultural change is so important.

Moreover, threats will only increase.

"The nature of these electronic attacks is changing. Threats are more intermittent and we need to be more aware of spyware and network degradation as much as fraud and data theft," Hind said.

"The challenge is increasingly about getting end users to understand the significance of this."

ACI Plastics Packaging IT operations manager Kevin Ortlipp agrees, claiming most organizations do not understand the significance of IT security.

"They [end users] usually don't think it affects them, and if they were educated they might be more prudent in their IT use," Ortlipp said, adding that he is undertaking a number of user education initiatives.

"Our company does education and also enforces a company policy," he said.

Ortlipp firmly believes that business is responsible for security, not IT.

"They write the rules so they should be the ones that have to enforce them, all IT can do is inform," Ortlipp said.