A global survey of 232 companies found although 82% of organisations had an information security programme, less than half had also investigated security practices of their supply chains.
The study by the Institute of Risk Management (IRM) also found more than 90% of organisations allowed employees to use mobile devices for business use, but less than 40% required formal security configuration of these devices.
The results also revealed almost 40% of organisations reported using some sort of cloud-based facility, but 33% of these had not accompanied this with a security policy.
Commenting on the findings, Sage UK and Ireland chief technical officer Stuart Lynn said HR directors needed to work closely with information teams to implement appropriate security procedures.
“While these figures don’t paint the rosiest picture, cloud and mobile working is an essential fixture in modern business, and threats simply must be managed relative to the level of risk the business can afford to take,” Lynn said.
“HR directors need to ensure they are closely aligned with the chief information officer to communicate and ensure the adoption of security policies across the IT system.
“The workforce must understand security polices so they can safely use data on the move. Corporate reputation, customer data and the financial bottom line are all at risk, so it’s essential to get it right.”
In response to the findings, IRM has published Government-backed guidance that outlines best practices in managing cyber risk.
Universities and science minister David Willetts said the guidance would “help UK businesses tackle the cyber threat and make the most of opportunities for growth".
IRM chairman Richard Anderson called upon businesses to be realistic about the potential threats.
“Thinking that it will never happen to you is delusional – we all need to understand the nature of the threat, identify our organisational ‘crown jewels’ and ensure that we have the appropriate measures in place to protect them,” he said.
The research also found 20% of respondents had not received information security training.
In total, 10% reported that at least one breach of their online systems in the last three years, with consequences ranging from regulatory fines to compensation costs, share price falls and reputational damage.
