The IT department is left to develop and enforce a security policy in 71% of FTSE 350 companies, according business executives questioned for the survey.
Simon Owen, partner in the technology assurance practice at professional services firm Deloitte, said, "The findings are as alarming as any written security policy. If you fail on security, how confident can management be that controls are strong throughout the organisation?
"It could be symptomatic of wider problems throughout the company."
Owen said a written policy on an organisation's information security should be no longer than 10 pages and avoid jargon. It should cover internal and external threats and be backed up by training to raise awareness of security issues among staff, he added.
UK companies with a casual approach to IT security also risk the anger of shareholders, according to the survey, which was commissioned by IT services company LogicaCMG, which questioned senior executives at 20% of the FTSE 350 companies.
A security breach would have an impact on a company's share price, according to 83% of investors, and 68% said that a company's policy on IT security would be a significant factor when deciding whether to buy or sell its shares.
Getting it right
"UK companies have a misplaced conception that increased spend in IT security will mitigate information violations. Unfortunately, devolving responsibility of information governance away from the board room to the IT department will not safeguard information assets.
"Information security governance needs to be embraced throughout the organisation. The best technology in the world cannot alone prevent the implications of negligent human behaviour."
Dave Martin, UK principal security expert at LogicaCMG