More than 70 percent of the 1,233 organizations surveyed did not list training and raising employees' infosec awareness as a priority, the 2004 Ernst and Young Global Information Security Survey showed.
The study also showed that companies continue to focus on external threats such as viruses - and are quick to buy firewalls and antivirus software - instead of internal threats.
"Companies face far greater damage from insiders' misconduct, omissions, oversights, or an organizational culture that violates existing standards," said Edwin Bennett, global director of Ernst & Young's technology and security risk services.
He advised companies to focus on creating a security-conscious culture in which the tone is set by upper management. Right now, only 20 percent of organizations view infosec as a CEO-level priority, he said.