According to the results of Protiviti's 2013 IT Security and Privacy Survey of 194 IT executives and professionals, 21 percent of respondents said their organizations don't have a formal crisis response plan for use following a breach, and 13 percent said they didn't know whether or not such a plan was in place (h/t ESET).

The survey also found that one in four companies don't have a written information security policy, and one in three don't have a data encryption policy. Only 63 percent of respondents said they have a system in place for properly classifying data as sensitive, confidential or public.

Still, 68 percent of respondents said they've elevated their focus on information security in response to recent press coverage of "cyber warfare."

"Cyber security must continue to be a major focus for businesses, especially in light of recent high-profile security breaches," Protiviti managing director Cal Slemp said in a statement. "While we're seeing a greater number of companies across a wider range of industries devote more attention and resources to improving their approach to data security, there are still a lot of businesses that are susceptible to attacks."

The survey did find that CIOs are taking more responsibility for data governance strategy, oversight and executions, and are increasingly involved in crisis plans for responding to a breach. "The role of the Chief Information Officer is becoming more prominent in organizations, in part, because of the importance of data, both in terms of advancing the business as well as managing risk," Slemp said.