Despite an increased occurrence of the like of Nimda and Code Red, many companies still believe an "expensive lock"on their IT systems will keep them out of harm's way.
However, Dean Kingsley, partner, enterprise risk services for Deloitte Touche Tohmatsu, warns most of the recent security breaches are internal.
"Companies are more technology centric than they should be [about security]. I am struggling to think of a security incident that was a technology failure in the last six months," Kingsley said.
"[Security attacks] have been due to process failures, due to incidents where companies have not updated their patches. Many internal users are also not educated adequately about security risks, for example password sharing."
Only through an integrated system of managing people, installing best of breed security technology and implementing policies and infrastructures dedicated to security can organisations achieve their required level of safety, Kingsleysaid.
Joe Marsella, senior manager of IS, Kimberly Clark, agrees. He said security approaches should be more procedural than technology driven.
"With security implementations the focus should lie primarily on policy, rather than technology."
Kingsley said it is really about "maturity of lifestyle", but most Australian organisations have not made the leap or realised that people and policies are just as important as implementing the "right" technology.
"A lot of organisations don't have the right technology in place, or have the right stuff in place and still have incidents, because the people and policy issues have not been addressed."
Paul Copperfield, delivery manager, consulting and financial services for Getronics, said whilst large financial institutions and governments are much more aware of security concerns, there is still a lack of "visibility" amongst most organisations.
"Security is still not given the profile it needs. It is still seen as an add-on responsibility. Ongoing maintenanceis not up to date; [organisations] are not up to date with the latest [patch] releases and hacking techniques.
"A lot of large organisations still don't have one person dedicated to their IT security infrastructure," Copperfield said.
Kingsley said beyond the public sector and telecommunications industry, which are fairly well regulated, and financial institutions, there is a "gap".
"But I don't have a problem with this. Security is an investment. The telco, financial services and public sector onaverage have information that is more valuable than other industries."
However, Kingsley said there are "point issues" in other industries, such as health. "For example, if informationfrom a small pharmaceutical company got out, that could be quite detrimental."