Hardware and software vendors are guilty of hyping external IT security threats while failing to warn companies sufficiently about internal risks, according to a survey of senior executives by the Economist Intelligence Unit in association with AT&T.

The survey showed that while more than half the execs saw viruses and worms as the main threat, 80 percent also admitted to having opened an unrecognised email attachment in the last year. Some also confessed to using their name or birthday as a password, or to accessing the company network in a public place and failing to log out.

"The security industry has had an interest in talking up technical and electronic counter-measures, as opposed to good practice and setting security policies," says EIU senior editor Gareth Lofthouse. "But it's easier for companies to throw money at it - a cultural challenge is much harder."

According to project sponsor AT&T, an increasingly popular reaction could be to outsource IT security. Not only does this off-load a complex and expensive operation, but it means that the outsourcing company - AT&T, for instance - now has an interest in promoting good practice.

"Security policies must change to strike a balance between protection and accessibility. It used to be about keeping outsiders out, now it's more about letting the right people in," adds Jeff Ace, AT&T's VP of global marketing and business development.

"E-business is all about off-loading your back office work onto your customer or supplier, so you have to be accessible. Security is a business enabler - it's the price you pay for giving others access to your systems for ERP, CRM and so on."