Information security is everyone's business, but that message doesn't always filter up to the highest level of the organisation. New research from Ernst & Young finds that companies should be doing more to safeguard their data.

The 2004 Ernst & Young Global Information Security Survey is based on responses from 1,233 worldwide organisations. Of these respondents, more than 70% failed to identify training and raising employee awareness of information security issues as a top initiative.

Companies are generally focused on external threats such as viruses, and are putting technology measures such as firewalls and anti-virus software in place to reduce these risks. But not enough attention is being paid to internal threats.

"While the public's attention remains focused upon the external threats, companies face far greater damage from insiders' misconduct, omissions, oversights, or an organisational culture that violates existing standards," says Edwin Bennett, global director of Ernst & Young's Technology and Security Risk Services. "Because many insider incidents are based on concealment, organizations often are unaware they're being victimized."

Bennett recommends creating a security-conscious culture at the top. The CEO and the board must approach security as a way to gain competitive advantage and preserve shareholder value rather than as a necessary cost of doing business.

"More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities - and convert them into its strongest layer of defense," he says.

For the complete survey results, go to: http://www.ey.com/global/content.nsf/International/Home