Almost all (99%) UK companies now backup their critical IT systems and data and 92% consider disaster recovery as an important drive in their IT expenditure, according to the 2008 Information Security Breaches Survey.

The number of companies with a disaster recovery plan in place now stands at 72%, up from 58% in 2006. This figure reaches 91% in large organisations.

But the research, which was carried out by a consortium led by PricewaterhouseCoopers on behalf of the Department for Business, Enterprise and Regulatory Reform (BERR), also discovered alarming holes in the disaster recovery habits of businesses.

More than a quarter (28%) of companies still do not have a disaster recovery plan in place, it found, of those that do half fail to regularly test them. A further 15% of companies fail to take their backups off-site, although the amount doing this rose from 76% two years ago to 85%.

"It is encouraging to see that almost every UK business makes backups and the vast majority now take these backups off-site," Chris Potter, partner, PricewaterhouseCoopers LLP. "The risks are well understood; it does not take an incident to raise awareness.

"The number of companies with a disaster recovery plan has gone up," he added. "However, experience shows that plans are only effective if regularly tested. It is a concern that only half of plans have been tested in the last year."

The research also revealed that when companies suffered a systems failure or data corruption incident, 31% had no contingency plan in place and a further 10% found their contingency plan to be ineffective.

The south-west has now overtaken London as the region with the most disaster recovery plans in place - possibly as a result of last year's floods - but fewer of these plans are tested than in other regions, the survey discovered.