Information security is everyone's business, but that message doesn't always filter up to the highest level of the organization. New research from Ernst & Young finds that companies should be doing more to safeguard their data.The 2004 Ernst & Young Global Information Security Survey is based on responses from 1,233 worldwide organizations. Of these respondents, more than 70% failed to identify training and raising employee awareness of information security issues as a top initiative.Companies are generally focused on external threats such as viruses, and are putting technology measures such as firewalls and anti-virus software in place to reduce these risks. But not enough attention is being paid to internal threats."While the public's attention remains focused upon the external threats, companies face far greater damage from insiders' misconduct, omissions, oversights, or an organizational culture that violates existing standards," says Edwin Bennett, global director of Ernst & Young's Technology and Security Risk Services. "Because many insider incidents are based on concealment, organizations often are unaware they're being victimized."Bennett recommends creating a security-conscious culture at the top. The CEO and the board must approach security as a way to gain competitive advantage and preserve shareholder value rather than as a necessary cost of doing business."More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities - and convert them into its strongest layer of defense," he says.For the complete survey results, go to https:\/\/www.ey.com\/global\/content.nsf\/International\/Home***Assistance required: Network World is planning an upcoming series of articles about the biggest non-technical threats facing IT executives and how to turn those into opportunities. Yes, we've already thought of outsourcing, but need your help in identifying other topics to cover. Please drop me a line at firstname.lastname@example.org and let me know what you see as the biggest threat to IT leaders.