Almost 85 per cent of large US enterprises admit to having suffered an IT security incident over the past 12 months, and the number of breaches continues to rise, new research warned. According to a Computer Associates poll of 642 US enterprise corporates, security breaches have increased by 17 per cent since 2003. Some 54 per cent of organisations reported lost workforce productivity, 25 per cent reported public embarrassment, loss of trust/confidence and damage to reputation, and 20 per cent reported losses in revenue, customers or other tangible assets. Of the organisations which experienced a security breach, 38 per cent said that it was internal. Nearly 40 per cent of respondents indicated that their organisations do not take IT security risk management seriously at all levels, while 37 per cent believe their security spending is too low. The three most important security steps are documenting security policies (88 per cent), creating security education policies for employees (83 per cent) and creating the role of chief information security officer (68 per cent).