Ask any information technology (IT) professional from the help desk operator to the chief technology officer in any company, and they will tell you that security is one of their primary concerns. You can almost be guaranteed that they will rattle off a list of exotic titles in your direction, with words like intrusion detection systems, anti-spam, firewalls, antivirus and reverse proxies being bandied about as a measure of how secure their IT infrastructure is. However, one area that many IT departments neglected to factor in when they crafted their security strategy was the human factor, security experts said. 'Security in a large enterprise can be analogous to a chain - if there is one weak link [through an employee], the enterprise may be at risk,' said Derek Manky, a security researcher for Fortinet. 'This may be through an innocent mistake - as most cases are - or through actual malicious intent.' The answer to this was education and a solid IT security policy, experts said. Michael Gazeley, managing director of Network Box, a managed security service provider, said it was a matter of time before the sheer volume of spam, viruses, worms and trojan horses hitting corporate networks every day compromised even the most robust security system. He said user education and a clear IT policy played a vital role in preventing a small breach from infecting the whole system. 'No matter what security system you put in place, it goes hand in hand with how powerful that policy is,' Mr Gazeley said. 'For example, teaching a user about the dangers of spam may stop them from clicking on a link that redirects to a compromised site which hosts malware that launches SQL attacks.' Likewise, a clear security policy, which specifically covers all sanctioned uses of the IT infrastructure from software to hardware, may prevent a user from engaging in behaviour that could expose a company to a security breach. The emphasis is on making this as comprehensive as possible. 'Many network layers may be built up for security settings, but if administrative policies do not exist, such as control over physical access, security breaches may occur. This includes corporate laptops being removed and re-introduced into an internal network, where malware may spread,' Mr Manky said. 'Other such physical objects include USB keys that contain malware; in particular worms which can quickly spread from such a third party medium.' The problem for many companies is that security-focused user education and IT policy are time consuming and resource intensive. Instead of creating and maintaining a comprehensive document very often these were simply downloaded from the net, Mr Gazeley said. Similarly, these documents can become so dense and technical that they become completely inaccessible to the average user who might just want to take some files home to work on. The serious message from the industry is this makes businesses that ignore security policy and training responsible for user-related security breaches. 'As a managed security service we can only recommend examples of good IT policies to our customers,' Mr Gazeley said. 'It is up to them to adapt these to their needs and police them. We have seen cases where IT policy is completely ignored.' At a recent security conference in Hong Kong, IBM's security and risk evangelist Pierre Noel identified a number of ways organisations could act to ensure they avoided these pitfalls. Firstly, he advocated making it a process that wasn't driven purely by IT. 'Having the best team of technology people is irrelevant,' Mr Noel said. 'Sometimes it is often detrimental because they will look at it from a technology-only perspective and not focus on user policies and good education. 'Technology is important, knowledge is more important and education is even more important. Companies must educate people on their policies and the right way to behave.' Secondly, he stressed the need to keep in mind not only the security needs of the network but the business requirements - often the kneejerk reaction of IT departments was to say no to new technologies that could stifle innovation. Thirdly, Mr Noel said that making a single person responsible for security was an effective means of ensuring security policy and education was created and conducted thoroughly. 'In every organisation you want there to be one person who has a difficult night sleeping because it is their problem. If it is diluted, no one is responsible and you will have another incident,' he said. This trend is increasing today in many enterprise-level companies, where the role of the chief security officer at a board level has emerged. The final step, Mr Noel said, was constructing the policy so that it was aligned to the corporate culture. 'Policy must match your culture or it will not resonate with the users,' he warned.