People and social engineering techniques, not hackers and viruses, represent the biggest threat to business IT security defences, according to two-thirds of UK IT bosses.

The findings of this week’s silicon.com CIO Jury panel coincide with a separate survey out today from the Confederation of British Industry (CBI) that claims firms spend £1m each on average to combat the combined threat of hackers, terrorists and animal rights extremists.

But two-thirds (eight) of the CIO Jury panel said internal employees and social engineering represent the biggest IT security threat, with a third (four) citing other factors – including growing concern over home PCs as the weak link in the security chain.

Adrian Seccombe, UK IT director for global risk management at pharmaceutical giant Eli Lilly, said: “I believe the largest and growing threat to business information security defences stems from the poor state of security of the home PCs of those same people. Imagine a world where 45 per cent of home PCs have key loggers capturing and sending the users’ bank details to nefarious websites. So in fact the perimeter that we need to worry about is our customers’ perimeter, not ours.”

Among the factors listed as part of the ‘people’ threat were collusion between employees and criminals; disgruntled employees; and portable storage devices.

Graham Yellowley, director of technology at Mitsubishi Securities International, said: “People, and particularly more than one person working together, can find ways of outwitting a business’ security defences.”

Kevin Fitzpatrick, CTO at Manpower, said that while technology can pick up incidents such as virus alerts immediately, the impact of a breach caused by a rogue or unwitting employee may only be discovered long after the damage has been done.

“Prevention relies on ensuring everyone from the cleaner to the CEO is aware of the issue, is careful with passwords, details of procedures, what they throw in the dust bin. It’s very difficult to get everyone to take the risk seriously and act as needed.”

David Lister, CIO at Reuters, said ignorance and complacency are far more threatening factors, while Hugo Smith, IT director at Sporting Bet, argued traditional hacking techniques pose the main threat.

“Although a risk, social engineering is much harder work and higher risk for the attacker than planting Trojans from behind layers of spoofed routers with many hours of unmanned office time to find exploits,” he said.

Today’s CIO Jury was…

Kevin Fitzpatrick, CTO, Manpower
Matthew Gouldstone, Technology services manager, Prudential
David Lister, CIO, Reuters
David McKean, CIO, Cable & Wireless
Colin Moore, Information services director, Department for Education and Skills
Dr John Odell, Group IT director, BBA Group
Ed Parsons, CTO, Ordnance Survey
Adrian Seccombe, IT director, global information risk management, Eli Lilly
Hugo Smith, IT director, Sporting Index
Margaret Smith, director of business information systems, Legal & General
Graham Yellowley, director of technology, Mitsubishi Securities International
Phil Young, head of IT, Amtrak

If you are a CIO, IT director or equivalent at a large or small company in the private or public sector and want to be part of silicon.com’s CIO Jury pool, or you know an IT chief who should be, then drop us a line at editorial@silicon.com