Many companies still struggle with how to secure their most sensitive data, elevating the risk of a data breach, according to a new cyber-security report.

The report of 476 information technology and security professionals located in more than 50 countries conducted by information-security firm Trustwave revealed significant security deficiencies and common security weaknesses still remain in most companies. According to the report, 63 percent of respondent said they do not have a fully mature method to control and track sensitive data, while another 19 percent said they do not have one at all.

Furthermore, 33 percent of respondents said they have not commissioned a risk assessment to identify where their valuable data lives and what controls—if any—are in place to protect it. Less than half (49 percent) fully encrypt stored sensitive data, with 51 percent only partially, or not at all.

“Businesses must look at security as a business-as-usual imperative,” Michael Aminzade, vice president of global compliance and risk services at Trustwave, said. “Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached.”

The report also revealed a gap between companies’ knowledge of their legal responsibilities when it comes to safeguarding sensitive data, and what they’re actually doing on a practical level. Specifically, 60 percent of respondents said they’re fully aware of their legal responsibilities in safeguarding sensitive data, and yet:

Twenty-one percent never perform security awareness training;

Twenty-three percent never hold security planning meetings; and

Twenty-four percent do not have employees that read and sign their company’s information security policy.

Companies can also do a better job at managing third-party risk. Fifty-eight percent of respondents said they use third-parties to manage sensitive data, yet almost half (48 percent) don’t have a third-party management program in place.

“Third-party programs should be updated in line with compliance obligations, as well as changes in the risk landscape,” the report said. “Regularly review and manage the level of risk you are exposed to as a result of these relationships, and investigate any incidents related to these third parties.”

The report also revealed that senior-level executives could be more involved than they currently are. Forty-five percent of companies have board- or senior-level management who take only a partial role in security matters, and nine percent do not partake at all.

“Senior management must understand and engage with the risk and security issues that impact their operational areas,” the report stated. “Ensure proper and clear communication among business departments and technical teams.”

In the event of a breach, many companies still wouldn’t know what to do. According to the report, 21 percent of companies don’t have incident response procedures in place.

“Having processes in place and testing them regularly will help ensure the appropriate people have the right knowledge and skills to respond rapidly to unforeseen problems,” the report recommended. “Coordinate a regular meeting with all key people involved in the incident response process.”

The full Trustwave report may be downloaded here.