Chief executives are aware of the information security risks presented by people within their companies but aren't taking action to secure the insider threat, according to a survey by Ernst & Young.

More than 70 percent of the 1,233 organizations surveyed did not list training and raising employees' infosec awareness as a priority, the 2004 Ernst and Young Global Information Security Survey showed.

The study also showed that companies continue to focus on external threats such as viruses - and are quick to buy firewalls and antivirus software - instead of internal threats.

"Companies face far greater damage from insiders' misconduct, omissions, oversights, or an organizational culture that violates existing standards," said Edwin Bennett, global director of Ernst & Young's technology and security risk services.

He advised companies to focus on creating a security-conscious culture in which the tone is set by upper management. Right now, only 20 percent of organizations view infosec as a CEO-level priority, he said.