The purpose of this paper is to study the adoption of information technology security policies in Kenyan Small and Medium Enterprises (SMEs). Particularly this study looks at whether the roles and responsibilities of Information Technology (IT) security in SMEs are well defined, whether SMEs have a documented information security and are if employees aware of the policy. Further the study finds out whether SME employees are given adequate and appropriate information security education and training, and if employees are well informed as to what is considered acceptable and unacceptable usage of the organization’s information systems. There is evidence from the survey to suggest that IT security policies are not widely adopted and the benefits harnessed by Kenyan SMEs. The survey reveals that much more needs to be done if SMEs are to realize the benefits of information technology without compromising their security status. This is one of the first studies to explore IT security issues in Kenyan SMEs. The survey is likely to assist SME owners, practitioners, and even academicians gauge how effective their information security efforts have been.