The NCC is the UK's largest cross-sector membership and research organisation for IT users. Its survey on information security was sponsored by Ernst & Young, Computer Weekly and Information Risk Management.
The survey also found that, while it has long been said that effective information security is a people and organisational issue, firms and their staff are still failing to get the message. Two-thirds of respondents said that in their organisations information security is regarded as a technical issue that just needs a technical fix.
The independent survey found that in organisations where respondents reported highly security-aware top managers then end-users were also more likely to be security-aware.
The responses indicate that support from top management is a necessary condition for achieving high levels of information security awareness and an effective information security culture.
But the awareness has to be promoted throughout the organization. It is not enough to tell people just once or to simply issue them with security guidelines when they are recruited.
Information security awareness is a continuous process and those organisations that used a continued and varied process to remind and update staff on information security issues reported higher levels of awareness in their organisation than those that did not.
The failure to take information security seriously is likely to result in security breaches with consequent effects of loss, interruption or business failure, warned the NCC.
According to Michael Gough, CEO of NCC:
"The key issue here is raising the profile of information and IT security so that it is on the business agenda, not just the IT agenda. Companies rely heavily on computer-based information systems and the increasing drive towards mobility means that poor security processes will inevitably lead to disruption and financial losses. IT managers need to convey this message in business terms, by highlighting the financial impact of information security failures. This is their duty as leaders' of IT in the business."
John Butters, Partner in Ernst & Young's Information Security Practice, added: "Updating rules in technology is easy, changing human behaviour is much more difficult."
The NCC advised that organizations should:
Take tough disciplinary action for internet abuse;
Have visible and genuine management ownership and awareness; and
Include security and risk management measures in senior management's performance appraisals.