There is a belief that the size of a company is directly proportional to the threat of attack when it comes to information technology and security 

Large PLC's and multinationals suffer more prolonged and targeted attacks, whilst SME's (Small and Medium Sized Enterprises) and OMB's (Owner Managed Businesses) are relatively secure because of their obscurity.

This is not true.

"The threat to IT systems will always be one of the highest risks to any company, regardless of its size," says John Dunne, IT Security Manager with Grant Thornton's Risk Management Services practice.  "Escalation of cyber terrorism, Denial of Service (DOS) attacks and the growth of spam, spyware and "botnets" have caused companies, both large and small, with poorly secured networks and websites, to become a target."

Key areas for concern include: 

Internal Unauthorised Access is caused by poor password security. Writing passwords on post-its, sharing passwords and poor segregation of duties results in high security risk. 
External Unauthorised Access is caused by not securing known weaknesses (such as wireless networks) or changing system default passwords in the system. 

Data Exposure occurs when unauthorised persons have access to sensitive data either unintentionally, or to facilitate a required action. 

Financial Loss can occur directly, whereby someone can gain unauthorised access to the finance system, or indirectly, by stealing bandwidth or  processing capacity for internet surfing in company time. 

Reputational Risk is the most critical risk to a company.  Due to on-line and electronic trade, publicised attacks on company systems can severely affect their credibility.

Setting the correct level of security is paramount to the smooth running of any business.  IT Security is generally the remit of the IT department, but those that are responsible for implementing the controls require a detailed understanding of the business, its objectives and the needs of its users.

"Password problems that lead to staff being locked out of the system and unable to access data are indicative of a security policy that is poorly structured.  Staff will find "work-arounds", such as writing the password on a post-it note, which totally negates the effectiveness of the control.  Plus there is an added cost in the time required by the system administration staff to reset the password and lost productivity whilst the user is locked out of the system" John Dunne says.

He also warns that there is no quick and easy solution:  "Obtaining high quality IT Security does not happen overnight or "out of the box".  Attaining and maintaining the correct level of IT Security is a holistic approach that encompasses logical controls, physical controls, network security, correctly targeted policies and management support."

Implementing the right level of control results in maximum protection for the company, the staff and its reputation, a reduced level of risk of disruption to the business, and reduced costs, both in the need for resources to manage the IT environment and in correcting things in the event of an incident.

In addition, John Dunne says:  "By going one step further, and implementing a data classification structure as part of your IT Security policy, it is possible to target costly IT Resources more accurately, to protect that data which is sensitive, and free up others to be redeployed more effectively.  The data is better organised and more reliable when it is being properly maintained;  what's more, staff understand and adopt more efficient working practices (e.g. less data duplication) and feel more confident in its quality.

John's five top tips on how to establish a good IT environment include:

1) Logical controls - Passwords should be set to an appropriate length and complexity that are changed on an regular basis. User profiles should be commensurate with the person's role and responsibilities.  Network access logs should be recorded and reviewed appropriately;
2) Network Security - both internal and external firewalls should be configured and reviewed on a regular basis.  Default administrator passwords for switches and routers should be changed upon implementation;
3) Physical Security - servers, workstations and back-up devices should be appropriately secured to protect them from theft or mis-use;
4) Malware Protection - Anti-Virus, Anti-Spy and Anti-Spam software should all be installed on the network and configured to run in conjunction with the other network security controls;
5) Clear, Coherent Policies - all the above controls should be supported by an appropriate IT Security strategy, IT Security policy, Conditions of Use document and a Business Continuity plan as well as a clear and regular communication of the need for good IT Security.

For both large and small companies John says: "IT security is everyone's responsibility.  It should be led from the senior management team and disseminated down to every staff  member in the company - not just the IT department."