Australia's IT industry is talking tough about security but it's certainly not translating into dollars with medium to large companies averaging a measly spend of $33,000 per annum.

Even more alarming is that up to forty per cent of businesses have no formal written IT policy and a further 34 per cent spend less than $10,000 a year on IT systems security.

According to a survey by CSC of 80 medium to large businesses in Australia organisations 'baulk at the initial outlay' required to invest in security despite greater awareness and concern about the impact of a serious security breach.

Asked where this figure of $33,000 is being spent CSC's director of global information security services Kim Valois said the survey didn't address this question but it is likely to be on a bi-annual audit.

"I suspect these organisations have a firewall and anti-virus software in place but no real strategic defence despite 70 per cent of those surveyed rating the security of their IT systems as a high priority," Valois said.

Even more revealing is the fact that 80 per cent were unaware of any security breaches or losses suffered by their company in the past 12 months.

Valois said a greater investment in systems used for preventative measures and procedures are needed to detect breaches and alert managers of disruptions or damages.

Interestingly, 69 per cent of respondents nominated loss of an organisation's assets or intellectual property as being a main area of concern.

CSC's senior security architect Gilbert Alaverdian demonstrated his expertise as an ethical hacker showing how easy it is to penetrate a system.

Alaverdian said hackers regard firewalls as gates that can be opened with the right protocols, rather than fences that have to be jumped over.

He said security is not really an obstacle because hackers just take advantage of common product vulnerabilities especially default configurations, poor or nonexistent security on servers or operating systems and older version applications which are vulnerable to penetration and weak passwords.

The survey sample was drawn from Dun & Bradstreet lists purchased specifically for the project and contained contact names for CIOs, IT managers and MIS managers. The main areas of concern were disaster recovery and business continuity planning and virus/worm outbreaks.