People are the weak link when it comes to computer viruses, a study shows.
E-mailed viruses still catch people out
A survey by anti-virus firm McAfee found that 50% of senior managers in small businesses blame staff for the damage done by viruses and other computer security problems.
Staff also downloaded unsafe programs on to work PCs and disabled security systems designed to protect them.
Just over half of the small firms questioned said they had suffered damage due to a virus outbreak.
Sal Viveros, spokesman for McAfee which commissioned the research, said many firms had concentrated on some security technologies at the expense of training and educating users.
"Businesses can have the most robust and integrated security system in the world," said Mr Viveros, "but one rogue end user could still be responsible for introducing malicious code onto the network with potentially serious consequences."
The survey found that anti-virus software was widely used on desktop machines (92%), servers (83%) and network gateways (65%), and firewalls (89%) in small firms.
Despite years of telling users not to open attachments on e-mails they were not expecting, many staff continue to click on anything that lands in their inbox.
One virus caused problems for Google
As well as irresponsible users, 45% of those questioned in the survey blamed out of date anti-virus software for leaving them vulnerable to attack.
Poor security policies were blamed by 18% for causing problems.
For instance, three-quarters of the 1,240 firms questioned said they had policies that spelled out the dangers of unauthorised downloading to employees.
But despite this, 66% of the respondents were sure that their employees had flouted this policy to install games, peer-to-peer trading software, video files and instant messaging systems.
The results of irresponsible employees, poor policies and out of date anti-virus protection was almost two-thirds (61%) of firms reporting that they had suffered downtime or lost data because of a virus outbreak.
Mr Viveros said small firms could protect themselves by thinking more deeply about the way they tackled security problems.
Instead of relying on anti-virus software and reacting to security problems as they arise they should develop an approach that puts many more layers of protection between end users and the outside world.
"Ideally they would be able to create security policies that are enforceable and take security out of end user's hands," he said.
Mr Viveros said small firms tended to get overlooked by many security firms who concentrate on large corporate clients and the huge pools of consumers who subscribe to the UK's net service firms.
Although some managed services were starting to spring up that did the security work for small firms but these were not being taken up in large numbers.
Also, he said, many smaller firms only had time to concentrate on their core business rather than worry about developments in computer security or keep up to date with the latest security problems.