Businesses across the globe believe that their operations are under greater threat than ever before. But findings from the Global Information Security Survey, which questioned 7,000 business technology and security professionals in 40 countries, highlights the primitive measures being used to defend against a significant menace.

Some 91 per cent of North American and 88 per cent of European businesses use basic passwords to protect their data. Only 45 per cent of North American businesses and 32 per cent in Europe use multiple log-ons or passwords with tiered or graded authentication.

Just 19 per cent of North American businesses use one-time passwords or access tokens, compared with five per cent of Europeans, six per cent of Asia-Pacific businesses and seven per cent of South Americans.

Meta Group analyst Tom Scholtz pointed out that businesses often have good intentions when it comes to improving security, but cost inevitably becomes a problem.

"When it comes to things such as passwords, the whole issue is around strong authentication. You should have things like tokens and smartcards, but the issue always comes down to cost versus benefit," he said.

"Many organisations have been investing in strong authentication but, when they've done the initial pilots and calculated the costs, not just for software and hardware but for management, they realise that the cost per user is usually high, and the business maybe doesn't want to pay for it."

Beatrice Rogers, e-business manager at industry trade body Intellect, accepts that cost is a major factor in the adherence to security best practice.

"During the downturn there was a cutback in IT spending and people were looking for direct return on investment for their bottom line," she explained.

"It is very difficult to make a proposition on internal investment, especially for IT directors not reporting directly to the board, until there has been a problem and it's too late.

"What will make an impact is the spate of regulations that are coming out around corporate governance - Basel, Basel II, Sarbanes-Oxley, FSA regulations that create the need for more data security - and that will probably push up IT spend over all."

Peter Sommer, security expert at the London School of Economics, maintains that laziness is to blame. "The trouble is that we have 10 years of literature about this sort of thing, from the unreadably academic to the downright popular, and it's astonishing that people are still being very lazy about it. The only thing that works is a well publicised disaster," he said.

Biometrics, touted for the past seven years or so as the next great security solution, is still very much in its infancy, according to the survey.

Just two per cent of European respondents use biometric-based security, compared with five per cent of North Americans, four per cent of South American businesses and eight per cent of those in the Asia-Pacific region. According to Scholtz, these companies are going to stay in the minority for some time to come.

When it comes to security spending, the survey found that European companies allocate 11 per cent of their budgets to security, compared with 12 per cent in North America, 16 per cent in South America and 17 per cent in Asia-Pacific. In the UK, the mean figure came out at just 9.4 per cent.

"These figures are very interesting," said Scholtz. "As a rule we recommend organisations spend between three and eight per cent. If they're spending 11 per cent, I'm not sure organisations always know how to capture that number."

But Rogers suggested that company culture dictates the level of security spending. "Security is only as good as the people who run it, so it comes down to training and culture and embedding that within the organisation," she said.

"Having the systems and the policies are not enough if they are not being used and the policy sits on the shelf. Culture has to be embedded from the very top right down to the very bottom.

"Best practice is about knowing which parts of your systems need which level of security. So it's about auditing systems, knowing what the security requirements are, applying a policy that meets those requirements, ensuring it is bought into and applied by the users, and constantly updating and re-working it. This is very easy to say; the hard bit is the implementation."

Best practice security is all well and good in theory, but putting it into practice takes a great deal of skill and planning, according to Yan Noblot, information security manager for the Athens 2004 Olympic Games.

"Each organisation must understand its own risk profile and allow this to drive its security spend. However, even with an ample budget, if the spend is not effectively placed, then it will do little to mitigate risk," he explained.

"IT security in Europe is rapidly maturing and with this, corporations will be considering their security issues in the context of business risk. Value should be placed on security controls and sound security practices in a more strategic context and over a longer term."

The survey shows that security spending is up. Some 57 per cent of European respondents reported a budget increase in 2004 compared with 2003, as did 59 per cent of North Americans, 50 per cent of South Americans and 66 per cent of Asia-Pacific businesses.

Enhancing application security has emerged as the biggest security priority over the next 12 months, followed by the installation of better access controls, securing remote access and monitoring user compliance in conjunction with policies.

The consensus of experts and analysts is that businesses need to look beyond basic security measures and implement an integrated, multi-layered security strategy.

Scholtz maintained that it is essential that security is implemented in line with business needs. He also recommends a process-based approach that does not rely on ad hoc installations.

Noblot shares his approach to security:
Equip the IT systems with the standard range of security systems, from antivirus software to firewalls.

IT security measures should be integrated as standard into the IT infrastructure to develop and implement strong preventive measures against security breaches.

Communication to and from the outside world has to be security-driven.

Conduct extensive testing to understand what is normal traffic on the network, so that abnormal traffic is easily identifiable.

Potentially thousands of false alarms can be generated, so testing allows the IT security team to devise rules identifying which are false alarms and which require urgent action.

Train the entire IT team in security procedures, solutions and disciplines. IT security is not just about technology, it is about people, processes and technology.

Apply the principle of 'Defence in Depth', deploying several layers of controls. If one protection were to fail or be bypassed, the others would be able to contain the attack.

Implement an integrated and flexible security monitoring solution that filters, aggregates and correlates alarms.