Organisations' approach to information security has matured dramatically over the last two years, but fundamental contradictions in security management still exist which are undermining their efforts at data protection, according to the latest Information Security Breaches Survey.

Launched at the annual Infosecurity Europe trade show in London today, the biennial report, carried out on behalf of the department for business enterprise and regulatory reform (Berr) found widespread boardroom recognition of information security, leading to an increase in spending from two per cent of total IT budget in 2002, to seven per cent today.

However, despite firms now investing in technologies like software scanning (98 per cent), wireless network encryption (94 per cent) and back-ups (99 per cent), over three-quarters are still unaware of the best practice international ISO 2700 security standard.

"There are gaps between the aspirations of firms and what they are actually putting into practice," said PWC partner Chris Potter. "Eighty one per cent said they believe security is a high priority but only 55 per cent actually have a documented security policy."

Data breaches were identified as the biggest challenge facing firms today, but although 77 per cent said protecting customer information is a priority, only eight per cent encrypt data stored on laptops, the survey found.

A lack of dedicated IT security professionals and the ever-evolving nature of threats are major factors adding to the risks facing firms today, argued Potter.

He recommended firms first seek to understand the threats facing them by access the right knowledge sources, and then carry out risk assessments and implement integrated security controls.

Security awareness was highlighted as a major element of effective security risk management strategies. Although firms are trusting their staff more by reducing blocks on instant messaging and opening up internet access, training policies still lack vigour, the report found.

"What we find is that we may have got the technical problems solved but we need to raise the human element," said Martin Smith of The Security Company, which was also involved in producing the survey. "I wonder how much of firms' [awareness raising] is … just ticks in boxes – we need to move from raising awareness to changing behaviour."

However Mike Smart of security vendor Secure Computing argued that technology controls are an important part of an effective security risk management program.

"Policy-based actions like encrypting content become very important, and technology can help to stop users clicking on a certain link, to [mitigate the risk] from social engineering attacks" he explained.

Also at the event, newly created organisation the Information Security Awarenes Forum launched a new information sharing portal to allow experts to share views and knowledge and to help in promoting awareness.

Infosecurityadviser.com includes product news and reviews, expert blogs, and an "ask the experts" feature.

Mike Maddison, UK head of security and privacy services at consultancy Deloitte, said that organisations need to coordinate their response to security issues across multiple departments, which can be challenging.

"As there is no software patch for people it is clear that the solution to managing such a risk requires flexibility and is as much about people and culture as process and technology," he added. "Consumer concerns and media attention will continue to make this a high profile issue and could result in increasing legislation."

In related news the growing risk to firms of unchecked internet use at work was highlighted today by new research from security vendor Sophos. Its latest Security Threat report found that in the first three months of this year the vendor blocked the equivalent of a new infected web page every five seconds, compared with one every 14 seconds last year.