Staff are the weakest link

People are usually the weak link in information security, and not technology, concludes research by an independent think tank.

The three most important elements of successful data protection are management support of security policies, users that follow security rules, and the recruitment of qualified security staff, says the International Information Systems Security Certification Consortium (ISC2), a not-for-profit body which certifies security professionals.

The research, conducted by IDC, concludes that deploying the right software and hardware come fourth and fifth respectively in the pecking order when securing data.

After taking the views of 4,000 information security professionals from more than 100 countries, the ISC2 says the human angle has been traditionally overlooked in favour of trusting hardware and software to solve security problems.

"For organizations to proactively secure and protect their information, financial and physical assets requires unconditional commitment to security at the financial, management and operational levels," said Allan Carey, program manager at IDC who led the study.

"Security management will always require the proper balance between people, policies, processes and technology to effectively mitigate the risks associated with today's digitally connected business environment."

Consultant Geoff Bennett, who works for web security specialist StreamShield, says he's not surprised that the human factor is so decisive in protecting systems.

"There's a saying along the lines of 'It's difficult to make something foolproof because fools are so ingenious'," he told IT Pro. "Users are the deciding factor in successful security, not a deciding factor. Left to their own devices, security is just not something that people usually consider."

He believes another route to better security would come from PC and network makers taking a leaf out of mobile phone makers' books and making their products more 'bullet proof'.

"Greater uniformity among products would also help end user confusion," he says. "Taking users out of the loop and managing security centrally is another remedy."