Financial institutions are underestimating the risk of data loss to their business and must change their attitudes if they want to arrest the rapid growth in online fraud, according to a new report by the Financial Services Authority (FSA).

The watchdog visited 39 firms including banks, building societies, insurance companies and financial advisers to compile the report: Data Security in Financial Services.

It found common problems such as organisations not encrypting laptops or checking that their third party suppliers have adequate security measures in place. It also found that although most larger firms devote enough resources to data security, they don't plough enough into staff awareness training or risk assessments.

The FSA recommended firms to appoint a senior manager in charge of data security, to encrypt laptops and use secure internet transfer links, and mask financial details when it's not necessary for staff to see them.

Mike Maddison, UK head of security and privacy at consultancy Deloitte, welcomed the report, adding that by providing firms with examples fo good and bad practice, the document will " help organisations to fully understand regulators’ expectations".

"Many organisations struggle to co-ordinate the management of [data security] risks which are owned by different parts of the business," he explained. "The FSA recommendation to appoint a senior manager with overall responsibility for data security, in conjunction with the publication of more information to help management understand their responsibilities, will go some way towards addressing this.”

Suzanne Rozier, UK strategy director at data integration firm Informatica, said the report should be a warning to financial institutions to sort out their data security strategies.

“Financial service organisations can’t rely on one single form of data protection – they need to deploy several protection technologies in order to create an impossible jigsaw puzzle that thieves can’t piece together," she added. "Data should not be leaving companies without first taking the appropriate protective measures such as Data Masking."