Companies understand the need for IT security provisions but many let themselves down by failing to enforce good behaviour among employees, according to the 2008 information security breaches survey.

The report, which was carried out by a consortium led by PricewaterhouseCoopers on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR), found that companies are increasingly employing more technology to counter IT threats.

The number of companies that have a security policy has also doubled over the last eight years, the research revealed, with 86% of large companies logging and monitoring staff access to the internet and 81% blocking access to inappropriate websites.

But despite these efforts from businesses, many companies are worried about staff behaviour while on the internet, for example on social networking sites such as Facebook, Bebo and MySpace. Some firms cited examples of confidential business information being placed online on such sites.

The survey also revealed that staff are being increasingly targeted by social engineering attacks, where outsiders attempt to obtain confidential information about employees.

Employee use of the internet in work time is now becoming widespread. Over half (54%) of companies now allow staff to access systems remotely, up from 36% in 2006, while the proportion of businesses restricting internet access to some staff only has dropped from 42% to 24%. Only 9% now give staff no access to the internet.

Having a security policy alone does not magically improve security awareness among staff. Companies are realising that increasing security awareness is only part of the answer

And while 53% of large businesses now employ strong (multi-factor) authentication for their IT systems, only 14% of small companies do so.

"Having a security policy alone does not magically improve security awareness among staff," said Chris Potter, partner, PricewaterhouseCoopers. "What companies are realising is that increasing security awareness is only part of the answer.

"The critical issue is changing the behaviour of their people. A ‘click mentality' has grown up where users do what expedites their activity rather than what they know they ought to," he added.

"It is a bit like the road speed limit; everyone knows what they ought to do, but only a few actually do it. Only when behaviour changes do businesses realise the benefits of a security-aware culture."