IT security has matured significantly over the past few years.

An increase in the number of viruses such as Slammer, the advent of phishing, and a spate of high-profile attacks on organisations such as Sumitomo Bank, have pushed security to the top of many company agendas.

While such publicity is scaring people into action, security still has a long way to go before it is embedded in everyday life.

John Thompson, chief executive of Symantec, the world’s fourth-largest software company following its $13.5bn (£7.6bn) acquisition of Veritas Software earlier this year, believes it is time for governments to work with industry to push awareness into the public’s consciousness.

‘Companies around the world have awakened to the reality that security is part of the fabric of systems,’ says Thompson.

‘We are making progress on the consumer front, but there needs to be work on the social engineering of security.’

Thompson believes it is essential to educate IT users on good security practices, and to make them aware of potential hazards.

‘In the physical world we know there are certain places that we don’t go to at night. We have developed this sixth sense over the years, but have not developed it in the wired world. There is significant opportunity for government and industry to work together to help increase awareness,’ he said.

The UK government has started to take steps to improve security and raise awareness.

It launched the UK’s first accreditation scheme last month to ensure that off-the-shelf IT security products meet basic quality standards (Computing 8 September), but it is very much a first step.

Thompson says there is not a government in the world that is doing enough to educate users about safe computing, and it must be taken more seriously.

‘When we decided in the US that automobile accidents were the greatest cause of death, we made people wear seatbelts and reduced speed limits.

‘When we decided that cigarette smoking was a huge public health issue, we changed the law and put ads about health implications on TV,’ he says.

‘When public safety was compromised, we decided something had to be done. Has the internet reached the point where we need to say to the public: “this is how to behave”? We told them how fast to drive, whether or not to smoke, so why shouldn’t we tell them about safe computing?’

There is an argument within industry that a ‘name and shame’ policy will force organisations to take security more seriously. The theory goes that publicising the fact that companies have been victims of security attacks will prompt others to tighten their defences to protect their brands and reputation.

But Thompson is not convinced this is a sensible strategy.

‘You would be forcing companies to publish information that undermines consumer confidence,’ he says. ‘You need to be more measured in your response.’

Thompson says legislation such as Sarbanes-Oxley is forcing companies to be more open, but points out that the problem is not new, and if too many rules are implemented, it could unintentionally undermine confidence.

‘The stuff in the US has been going on forever,’ he says. ‘It was only that it has forced people to say something about it.

‘I think those that are named have been working on security, but those that have not been named have also been working on security solutions. You don’t need to have your name smeared in mud to do something about protecting data.’

Too much legislation and tightening of laws could also suppress innovation, something that undermines one of the main principles of the internet.

‘The world on the internet has been an incredible engine for commerce around the world. If you introduce too much legislation too fast you could stifle innovation,’ he says.

‘We would be in favour of a solution that helps, but not one-dimensional legislation that closes borders and stops people trading around the world.’