IT security investments are failing to deliver a proper return due to insufficient staff training and lack of direction from the boardroom, according to a global survey by Ernst & Young.

And despite increased spending on anti-virus, intrusion detection and email spam products, firms are still at risk from staff errors and malicious attacks from former employees, says the consultancy.

The Global Information Security Survey 2004, interviewed more than 1,230 organisations in 51 countries, and found that:

*Only 20 per cent of businesses believe information security is a chief executive-level concern, despite the growth in regulatory compliance

*Less than 30 per cent of organisations view security training and employee education as integral to their IT plans

*More than 70 per cent of board directors did not receive quarterly updates on IT security issues

'People are spending a significant amount of money on protecting against viruses and hackers but the enemy within could be a far greater concern,' said Jan Babiak, managing partner of Ernst & Young's information security services division.

'Too many people think security is a technology issue but in reality the weakest link is human interaction.'

Hardware failure topped the list of incidents causing business downtime, with 87 per cent of cases originating from internal errors, the survey reveals.

Other major security problems resulted from people installing inappropriate software, such as peer-to-peer applications, employee misconduct and former staff who had not been locked out of the system.

'A quarter of companies have an unexpected outage as a result of former or current employee behaviour,' said Babiak.

Firms need to ingrain security into policies and employee practices throughout the business, not just the IT department, says the study, and senior executives need to take the lead.

'Security is not something that can be dealt with in a single department or geography because you have other issues, such as data protection and physical security,' says Babiak.

'And it requires direction from the top as to what these priorities are. Most organisations are reaching their maximum propensity to spend in the security arena, but they are securing things that are easy to secure and leaving other areas, such as physical security, wide open.'

Outsourcing is also creating new gaps in IT security policies. Despite one-third of businesses trusting their IT operations to external suppliers, a third say vendors are not regularly assessed to ensure information security policies are enforced.

And more than 70 per cent of businesses fail to regularly assess whether offshore outsourcing partners meet information security regulatory requirements.

The report also urged government authorities to introduce tougher laws covering email spam, which is increasingly introducing other security threats, such as viruses and trojans.

'Stronger laws around spam should be brought in because it opens up opportunities for malware and it is also costing businesses a lot in terms of time and money,' it says.