Security: As much about people and places as software

Despite a realisation across organisations that cyber-security should be a top priority, a large portion of users feel inadequately protected, and humans - rather than technology - continue to be the weakest link.

Many analysts are now recommending security budgets of 3-5 per cent of operational expenditure and organisations are nearing this level in some cases but "lack of budget" is considered a reason for corporate angst.

That's according to Ernst & Young's sixth annual global information security survey, which has also found around a third of organisations rate their ability to tell if their information systems are under attack as 'inadequate' or 'only marginal'.

Jan Babiak, managing partner at Ernst & Young's UK Information Security Practice, told silicon.com: "Organisations shouldn't necessarily be spending more [than 3-5 per cent] but they should be spending it better, spending it on the right things."

Common corporate oversights include little monitoring of partners' business continuity plans, a lack of understanding of insurance policy cover for breach-related damage and insufficient privacy compliance processes put in place.

However, many companies are still focused too much on software-related security. E&Y's Babiak said physical barrier breaking, such as poor building security or keystroke capturing 'dongles' placed between keyboards and PCs, could be at least as dangerous.

Also poor staffing procedures - for example not running background checks while hiring - are a threat.

Babiak added: "Getting people security right is harder. There can often be a vulnerability at a very low level."

E&Y polled senior IT business executives at 1,400 companies around the world.