A quarter of IT managers at small and medium sized enterprises (SMEs) throughout Europe believe that employees are ultimately responsible for IT security breaches, according to new research.

The SMB State of Security report from security firm Websense surveyed 750 IT managers and employees at companies with 100-250 employees in the UK, Germany, France, Italy and The Netherlands.

Although employees acknowledge that they spend an average of two and a half hours a week surfing the web for pleasure, just under half of the IT managers surveyed use web filtering software to protect against web-based threats.

Twenty-three per cent of SMEs have internet usage policies in place, although they do not require an employee to officially sign the policy.

A further 16 per cent admitted to having no usage policy at all, saying that trust in their employees was sufficient to prevent abuse.

Yet nearly a third of IT managers rated 'employee behaviour' as the leading cause of job frustration when it comes to implementing and maintaining IT security.

'IT security not being high enough up the corporate agenda' was the second highest at 27 per cent, and 'budget constraints' came in third at 21 per cent.

A few respondents believe that SMEs should have less protection in place than large organisations because they are exposed to lower levels of risk and do not have the budget.

But the vast majority (71 per cent) felt that all companies should have equal levels of protection irrespective of their size.

"We urge all SMEs to make IT security a business-critical issue," said Mark Murtagh, technical director at Websense.

"Leaving their employees to make security decisions based on what they feel is right is not only putting company confidential data at risk, but adding a strain to the IT department.

"Internet usage policies need to be automated to ensure that hidden dangers are found and protected against."

The research also revealed that the majority of SME employees are placing a false sense of security in their IT department, as two-thirds trust their company to protect them from internet-based security threats.

Only 31 per cent of employees who have used a personal credit card at work have questioned the IT department about whether their PC is protected against identity theft.