Despite a wave of reports regarding security threats from hackers, crackers and organised criminals, most company leaders still believe the biggest threat to firms is the enemy within, according to a report by the Economist Intelligence Unit (EIU) released today.

In a white paper entitled Testing the defences: facing up to the challenge of corporate security, sponsored by Nortel Networks, the EIU reports that in a survey of 178 senior managers, 57 percent said they believed security breaches are more likely to be a result of accident than intent, and 78 percent said breaches arise because of a failure in internal processes.

These findings suggest that strong policies supported by training and incentives are needed to help staff avoid leaking sensitive data. Although 71 percent of companies said that they conduct a security risk analysis at least once a year, 32 percent of them said they did not know the cost of potential security breaches.

Despite regulatory changes that in theory make company leaders liable for security breaches, the report suggests that risk management remains lax. Sixty-eight percent of respondents said they had not tried to quantify the risks to security.

"Companies are still struggling to keep pace with a complex and fast-evolving risk environment," observed Daniel Franklin, editorial director of the EIU, in a prepared statement.

Experts argued that it is possible that company leaders might be ignoring security issues because they think it is unlikely that they will be held legally liable.

"Although rules such as the Data Protection Act make it clear that the director of a company is legally responsible, it's very rare that an officer at the top of the company is held responsible," said George Gardiner, partner at law firm Stephenson Harwood. But he added that directors may be blamed by shareholders if security breaches damage firms' reputations and stock values, and in these cases they could be ousted.

In a foreword to the report, former New York mayor Rudolph Giuliani said the terrorist attacks on the city highlighted the need for forward planning: "$10m spent on corporate security will hit the bottom line today and may not show its worth for many years. But when a security incident does occur, that investment will pay for itself many times over.

"As mayor of New York, I remember thinking that the hundreds of millions of dollars we spent preparing for Y2K might have been wasted ... On the morning of 11 September, I realised that it wasn't. Having thought our way through a complete breakdown of the city's systems, we had the backups that allowed us to get a new command centre partly operational within two hours. Similarly, all of the work we did over the previous few years in preparation for a terror attack - including the drills, the tabletop exercises, and the creation of an emergency management centre - proved invaluable."