Industry bodies in the UK associated with information security have got together to launch the Information Security Awareness Forum.

Launched on Tuesday (February 12), the forum aims to co-ordinate the activity of the many organisations that have a stake in making sure that businesses and consumers protect their data.

It has promised not to come up with a new raft of information, but rather repurpose and package what is already out there in a way that is easy to access. In particular, it has plans to publish an information security guide for directors – and not just IT directors – to allow them to understand the real risks to their business.

The forum will also be raising awareness of the issues during Information Security Awareness Week, which is in April to coincide with trade show Infosecurity Europe and is held in London each year.

Awareness is one thing, but getting your staff or customers to act on it is another. So says PricewaterhouseCooper’s Chris Potter, who manages the UK’s Information Security Breaches survey on behalf of the Government.

The results of 2008’s survey, which will be published during Information Security Awareness Week, are likely to make uncomfortable reading for many retailers.

Potter says that one key issue emerging as the results are analysed is data leakage and protecting customer data. He said: “When we have big security incidents, it is normally the result of lots of small things failing and one of those failing elements is people.”

This was certainly the case for Marks & Spencer when it lost a laptop containing details of its staff last year. Though the Information Commissioner’s Office has now demanded that M&S has encryption software on all of its laptops, it was not purely the lack of encryption that led to the initial breach. The breach would not have occurred had a contractor not been able to take that information outside of the corporation on a laptop that was then stolen from his home.

Potter adds that good information security is not really about awareness, but changing behaviour. People can understand the risks, but you only win the battle if you get them to mitigate them.