Small and medium sized enterprises need to take a more comprehensive approach to securing critical business information, according to business communications firm Colt.

Andy Horn, director of the UK SME division at Colt, told a seminar at the Institute of Directors that a surprising number of smaller organisations still believe that security is fundamentally about antivirus software.

"In reality, if you only focus on specific IT security elements, you are likely to leave yourself exposed. It's like locking the door but leaving the window open," he said.

"Instead, businesses need to examine the value of information to them and build a security plan that takes a complete view of information security, covering both IT and non-IT aspects."

Horn stressed that SMEs need to develop an information security policy and create processes in order to implement and maintain that policy.

Highlighting the need for employee education Horn pointed out that all companies, including SMEs, need to ensure compliance regulation, data backup and virtual and physical access to information.

"No business has an unlimited security or IT budget. There are several inexpensive things a business can do that will make a real difference, such as developing and implementing a security policy and rolling it out to employees," he said.

"It is also easy to get caught up in day-to-day security tasks, such as updating antivirus or anti-spam software, and this takes time.

"For this reason, we advocate out-tasking certain aspects, such as email security or disaster recovery, so that businesses can focus on the overall policy and management in-house."