IT security is a priority for less than a quarter (23%) of UK businesses with fewer than 250 employees, a survey has revealed.
More than a third (37%) of the 269 IT professionals polled said IT security was an area of minimal investment or one that could be cut if necessary.
Most of these organisations are choosing instead to invest in IT infrastructure in sharp contrast to general trends, according to the survey report by Redshift Research.
IT decision-makers at small and medium sized enterprises (SMEs) in the UK continue to underestimate the security required to protect corporate data, the report said.
SME's are paying relatively little attention to threats from data theft by employees, the survey found.
More than three quarters (78%) regard external threats as more important, with only half expressing concern about internal threats.
The biggest concerns are virus attacks (88%), accidental data corruption (87%) and spam (77%).
Only 55% are concerned about viruses being introduced by USB sticks and 59% are concerned about staff losing USB sticks containing sensitive information.
Most SMEs do not realise that employees could walk away will all the company data on a USB stick, said Walter Scott, chief executive of security firm GFI Software, which commissioned the survey.
The majority of SMEs are also failing to protect themselves with written IT security policies that are signed by employees.
Some 60% of organisations said they either have no policy to regulate access to the network by portable devices or have only informal guidelines in place.
Two of the main contributory factors, said Scott, are that unlike larger enterprises, SMEs have less exposure to governance frameworks such as Cobit and there is a greater level of trust.
"In larger organisations mangers are less likely to know each employee personally and are, therefore, more likely to put governance structures in place," he said.
Almost all companies surveyed use basic IT security measures such as anti-virus software, but relatively few manage portable memory device access to networks (45%), use network event logging software (55%) or web filtering (61%).
"There is a pervasive indifference towards monitoring the whereabouts of data and its ability to be accessed or copied," said Scott.
A third of respondents said they could not track what portable devices have been connected to the network, 41% did not know what data is downloaded to these devices and 21% had no ability to track where business-critical data is stored.
"This lack of insight into the emerging internal threat has left these organisations woefully lacking in key areas of security," the report said.