MENLO PARK, Calif., June 11, 2013 /PRNewswire/ -- Despite broad recognition that cyber threats are more prevalent than ever before, a large number of companies are not adequately prepared to respond to a data breach or IT security crisis, according to findings from the 2013 IT Security and Privacy Surveywww.protiviti.com/ITsecuritysurvey by global consulting firm Protiviti ( www.protiviti.com). (Photo: http://photos.prnewswire.com/prnh/20130611/SF29842-INFO) (Logo: http://photos.prnewswire.com/prnh/20090115/AQTH541LOGO) More than two-thirds (68 percent) of respondents in Protiviti's survey said they have elevated their focus on information security in response to recent press coverage of so-called "cyber warfare." However, the number of companies that appear inadequately prepared for a crisis is surprisingly high. When asked if their organizations have a formal and documented crisis response plan for use following a data breach or hacking incident, more than one-third reported that either their organizations did not (21 percent) or they did not know (13 percent). "Cyber security must continue to be a major focus for businesses, especially in light of recent high-profile security breaches," said Cal Slemp, managing director with Protiviti and global leader of the firm's IT security and privacy practice. "While we're seeing a greater number of companies across a wider range of industries devote more attention and resources to improving their approach to data security, there are still a lot of businesses that are susceptible to attacks." Data Policy and Retention/Storage Issues According to the survey results, many companies lack key data policies and are ineffective at managing data through proper retention and storage practices, including the classification of sensitive data. Approximately 22 percent of companies do not have a written information security policy (WISP) and 32 percent lack a data encryption policy. Not having these policies in place is an important consideration when a breach involves information covered by data privacy laws and can expose an organization to significant legal liability.