Organizations of all sizes are now significantly reliant upon information and communication technology for the performance of their business activities. They therefore need to ensure that their systems and data are appropriately protected against security threats. Unfortunately, however, there is evidence to suggest that security practices are not strongly upheld within small and medium enterprise environments. The purpose of this study was to investigate the information technology security practices in Small and Medium Enterprises (SMEs) in the financial sector in Kenya. In Particular, the study sought to identify the main perceived threats to information security in the organizations and the measures the organizations put in place to protect the information assets from these threats. The study tried to establish if the risk posed by security failures to the organization’s operations was high based on their reliance in IT systems and if the security posture adopted by the organization reflected the level of risk. The study established that the SMEs studied were highly reliant on Information Technology for their business operations hence the risk posed by failure of IT security was high. The study found that the major perceived and experienced threats to security were viruses and system users. The study also found that in the SMEs, there were some attempts at securing the IT assets though these efforts were largely uncoordinated. The IT security role was frequently unassigned, or allocated to someone without appropriate qualification. Most organizations did not have a formally specified IT security budget although some security related expenditures were made.