Organisations of all sizes are now significantly reliant upon information technology and networks for the operation of their business activities. All therefore have a consequent requirement to ensure that their systems and data are appropriately protected against security breaches. Unfortunately, however, there is evidence to suggest that security practices are not strongly upheld within small and medium enterprise environments. The paper presents a survey of specific security practices within such organisations in Europe and the USA, with particular focus upon whether adequate attention is given to the issue of risk assessment. The survey reveals that SMEs are characterised by lack of adequate attention to IT security, with related responsibility frequently unassigned, or allocated to someone without appropriate qualification. This is shown to have consequences in terms of adherence to good practice, with the significant majority of organisations not having developed a security polic...