Almost 100 percent of UK firms do not have sufficient identity and access management safeguards to prevent electronic ID theft, according to the 2006 DTI Information Security Breaches Survey released today.

Just one percent of UK companies had all the correct measures in place, and nearly a fifth of large companies reported that staff had gained unauthorised access to data.

"The figure is so high [because] there are so many different things organisations need to do [to secure access to their systems], and it will take them a long time to build up their foundations," said Andy Kellett of analyst firm Butler Group.

Kellett added that the required management systems vary according to the sector in which firms operate. For example, a system combining controls for physical and network access would be particularly relevant to manufacturing and retail environments.

Andrew Beard from PricewaterhouseCoopers, who lead the survey, said few companies are strengthening and integrating their authentication, provisioning and authorisation systems because most companies simply respond to regulations imposed on them.

"Firms are being reactive rather than proactive," Beard said. "It's a small comfort that [identity management problems in the latest survey] were not much worse than they were in 2004, but although the incidents are relatively low, when they do happen they have more impact."

The risk bad publicity in particular means organisations cannot afford to neglect identity and access management, Beard added.

John McNulty, chief executive of security specialist Secure Computing, predicted that sales of authentication and identity management tools will grow rapidly as more firms realise the importance of a comprehensive IT security strategy.

"We've been preaching for the last six years that security should start from knowing who the user is," McNulty said. "The strength of authentication – from fixed passwords all the way to two-factor authentication – should be appropriate to the value and sensitivity of what you're gaining access to."

Donal Casey of IT consultancy Morse said, “Businesses need to wake up and take some action. It’s ludicrous that businesses are relying on passwords alone to protect their data. Businesses must make sure that they firstly put in place a range of measures to protect against things like identity theft, but secondly that they make sure all these measures are integrated so that there aren’t any holes for hackers to exploit."

The full results of the survey will be released at the InfoSecurity Europe event in London in April.