The man credited with the quote in the headline was not a high-flying business guru, he was not an analyst, or even a highly-paid management consult. He was Sophocles, a writer of Greek tragedies born in 496BC.

About 2,500 years later, as businesses battle a new kind of Trojan, viruses and identity theft, his words still ring true. Many companies hit by Slammer, NetSky and Blaster worms - and any of last year's main viruses - learned the hard way about what worked when it came to their security defences.

According to the latest Department of Trade and Industry security surveys, 74 per cent of UK businesses have suffered a security breach, with each one costing companies an average of between £7,000 and £14,000. Among the hardest hit were the smaller companies without the resources to adequately protect their systems.

And with the widespread adoption of always-on broadband connections in small businesses, the problem is likely to worsen.

The stark lessons from last year highlight that there is no real value in designing security policies and investing in protective technologies if you cannot ensure they are enforced at all times. To do this, three things need to happen. First, the policies that the business needs to function, both securely and operationally, need to be determined. Second, the co-operation of those affected by those policies needs to be obtained, and third, the policy must be effectively enforced on a day-to-day basis.

Apart from the deployment of the physical elements of security, such as firewalls, anti-virus and web filtering, a priority is the education of employees. It is misleading to suggest that all Internet security issues arise because of technology vulnerabilities. Many breaches originate from staff.

To get employees to agree with polices and support them through their actions, business leaders must actively be involved in the process, rather than simply demanding it of their employees as a requirement. An Acceptable Use policy should be devised that explains what employees must do and what they should not do when using the company's systems.

This involvement will ultimately result in a culture that accepts information security into the organisational culture.

Michael McMeekin is managing director of Wisdom IT. Log on to www.wisdomit.co.uk

Published: 05/07/2005