Only 1 percent of U.K. companies use all methods available to control access to their IT systems and prevent security problems, according to the Department of Trade and Industry (DTI).
Companies that used all identity and access management safeguards had no security incidents, according to the telephone survey of 1,000 companies. A consortium led by PricewaterhouseCoopers conducted The Information Security Breaches Survey, the DTI said.
The survey's full results will be released at the Infosecurity Europe conference in London next month.
Large companies reported only a small increase in the number of security incidents from 2004, the last time the survey was conducted. The use of strong authentication techniques, such as hardware tokens and digital certificates, have kept problems at bay, it said.
Businesses using biometric authentication methods reported fewer incidents than those using software-based tokens and certificates alone. But about 80 percent of companies were simply using single-factor authentication such as passwords to protect data and access.
Banks led businesses in implementing two-factor authentication, as they have greater exposure to online fraud, said Chris Potter, information security assurance partner at PricewaterhouseCoopers.
Two-factor authentication can take different forms. For example, one method may require a person's regular user name and password and then ask for an additional, one-time disposal password kept before access is granted to a banking Web site.
Most companies that aren't using strong authentication said there is no business requirement yet to implement it, Potter said.
"Companies tend to be implementing two-factor authentication when either their risk profile is very high or they've had actual incidents in the past," Potter said.
One in five of security incidents at large companies involved staff gaining unauthorized access to data. The survey said 6 percent of companies suffered from phishing attacks.
Instances of fraud were low, but caused more damage than other breaches, the survey said. Some small businesses reported fraud losses of £10,000 to £50,000 ($17,500 to $87,300).