CEOs aren't doing enough to address the myriad IT security threats that loom large. At least that's what Ernst & Young concluded from survey results it released today.

E&Y contacted 1,233 organizations representing 51 countries for its "Global Information Security Survey 2004," a report meant to gauge enterprise perceptions of security. In the 11-year history of the report, not much has changed.

"Perhaps the remarkable thing is how little attitudes, practices, and actions have changed since 1993 -- during a period when threats have increased significantly," the report states.

The survey found that only 28 percent of global respondents noted "raising employee information security training or awareness" as a top 2004 initiative, despite the fact that a "lack of security awareness by users" was their top IT security obstacle.

Sixty-seven percent of the organizations surveyed view information security as being an important part of achieving their organizations' overall business goals and objectives. This is an 11 percent increase over last year.

Employee misconduct involving information security was noted by 60 percent of respondents as being a high-level concern for organizations over the next 12 months. The survey also found that the No. 1 one cause for business system outages was hardware failure at 72 percent of which 87 percent originated within the organization itself (as opposed to be external).

"While the public's attention remains focused upon the external threats, companies face far greater damage from insiders' misconduct, omissions, oversights, or an organizational culture that violates existing standards," Edwin Bennett, global director of Ernst & Young's Technology and Security Risk Services, said in a statement.

"Because many insider incidents are based on concealment, organizations often are unaware they're being victimized," Bennett continued. "Too many organizations feel that information security has no value when there is no visible attack. This is a perception that has remained unchanged over the decade that Ernst & Young has been conducting this survey."

Visible attacks in the form of viruses, Trojans and worms were the No. 1 high-level concern among the survey base, coming in at 77 percent. They were noted by 68 percent of respondents as being responsible for an unexpected or unscheduled outage of a critical business system. In contrast to the incidents reported from those external threats, incidents originating from former or current employee misconduct were noted by only 24 percent of respondents.

In E&Y's view, the buck should stop at the CEO's desk. The survey found that only 20 percent of organizations view IT security as a CEO-level priority. E&Y advocates that the CEO should set the tone for a security-conscious culture.

"Companies can transform their view of information security, and approach it as a way to gain competitive advantage and preserve shareholder value, rather than merely consider it a necessary cost of doing business," Bennett said. "However, this transformation must be led by a visible shift in attitude from the CEO and the board. More could and should be done to transform the skills and awareness of their people who often present the greatest opportunity for vulnerabilities and convert them into its strongest layer of defense."

Respondents indicated they would not increase spending on IT security as much as in previous years. In 2003, 21 percent said the spending would increase significantly while 40 percent said it would increase slightly. In this year's study, only 17 percent said spending would increase significantly and 52 percent thought it would increase only slightly.

Earlier this year, research firm IDC reported 59 percent of its survey base indicated that IT security spending would increase. According to CompTIA, when organizations invest in IT security, it usually results in fewer incidents.

In survey results published last April, the firm found that organizations reported 19.7 percent fewer security incidents when at least 25 percent of their staff had IT security training.