Companies know the risks, but still ambivalent about taking action.
It’s going to take more than a massive hack against Sony Pictures, Anthem, and the Internal Revenue Service to persuade business executives to protect their companies from data breaches.
A recent survey of 1,000 business executives by consulting company NTT Com Security said that the only half of the polled respondents had a formal plan in place to protect their data and networks in case of an attack. Additionally, a quarter of these executives “are certain that their company will suffer a security breach in the future,” the report stated.
The polled respondents represented U.S. and European companies with the majority working in the finance sector.
The report likened the businesses executives’ lack of urgency toward protecting their companies from security breaches to people who smoke cigarettes and “eat bad food” despite knowing that these habits can be dangerous.
Get Data Sheet, Fortune’s technology newsletter.
Although executives now consider lax cyber security to be more of a risk to their business than they once believed, that hasn’t been enough to cause them to double down on security-related investments and initiatives. Roughly a third of the respondents spend “money on marketing than on information security,” the report stated.
Part of the reason the report’s authors believe executives aren’t doing enough to protect their companies is because they are procrastinating on security-related projects and initiatives. These executives seem to be more willing to wait for an attack and then clean up the mess as oppose to stopping it before it occurs.
It should be noted that this report was put together by a security consulting firm that would benefit financially if a business were to use its services.
Still, the report is noteworthy because it highlights the mindset of some executives when it comes to security spending.
For more on security watch our video:
There seems to be a major hack on a corporation or government agency each week, but it’s hard to change a longstanding company culture on security practices overnight. This is especially true if businesses are adjusting their IT spending in light of a weakening overall marketplace.
Last week, security giant FireEye feye said it was lowering its guidance due to a decrease in cyber security spending that it expects to occur this year. FireEye chief executive Dave DeWall explained that sales of cyber security products jumped last year in light of major hacks on corporations but he doesn’t see that trend continuing (at least for FireEye).