Separate surveys from Computer Sciences Corporation and venture capitalists 3i highlight how far many organisations are from instituting basic best practice procedures.
The CSC survey, of more than 1,000 IT executives worldwide, found 46% did not have a formal information security policy in place and 59% lacked a formal compliance program.
A shocking 68% admitted they did not regularly conduct security risk analyses or security status tracking.
"While most IS professionals recognise the benefits of protecting and securing data, the business leadership in the organisation still sees security as a 'nice to have' rather than a 'need to have'," said Ron Knode, CSC's global director, managed security services. "It's not until something goes wrong that perceptions change. The fact is, it costs far less to establish the right security measures at the outset than it does to recover from a breach in security."
Knode added: "There has been significant media attention focused on the risks of cyber terrorism. While cyber terrorism is a very real concern, disgruntled employees or hackers also pose a risk to an organisation's data and intellectual property."
Allan Carey, senior analyst at market researcher IDC, echoed this. "With the majority of attacks it tends to be the insider who is the larger threat," he said in a comment on 3i's E-security - 2002 and beyond white paper.
The survey, carried out with the Economist Intelligence Unit, warned that 80% of firewalls were incorrectly installed and claimed that the telecoms industry was the least alert of any business sector to the importance of e-security.