According to Computer Weekly, whilst private enterprises make up a third of data security breach claims, many continue to resist the offer of an audit by the ICO.
"Businesses should be more willing to undergo data protection audits, said Information Commissioner, Christopher Graham, because the ICO's good practice audits are designed to help organisations and businesses meet their data protection obligations", says the newswire.
"According to the ICO report, only 19% of businesses contacted by the ICO accepted the offer to undergo free data protection audits. In contrast, 71% of public sector organisations contacted voluntarily agreed to be audited", the newswire adds.
Graham is quoted by CW as saying that these audits are not about naming and shaming those who are getting it wrong.
"The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously. After all, sound data protection practices are irrevocably linked to providing good customer service", he said.
Mike Smart, solutions director of EMEA for SafeNet, is quoted by CW as saying there is no excuse for an organisation entrusted with personal data failing to improve data protection.
He told the newswire the combination of encryption and authentication technology are readily available and proven to work.
"While the ICO doesn't want to come across as naming and shaming, recent high-profile security breaches are making organisations really anxious", he said.
Over at SecurEnvoy, CTO Andrew Kemshall said that what those companies that effectively reject ICO assistance with a security audit is the potential for damage that a data breach can pose to their organisation.
"And we are not just talking about potential ICO penalty fines here, but the effect on the firm's public reputation and, for larger companies, their share price", he said.
"Where previously many industry observers - ourselves at SecurEnvoy included - would have attributed the lack of interest in ramping up a firm's data security defences as being due to economic issues, the fact that firms are ignoring the ICO's free audit offer - effectively looking a proverbial gift horse in the mouth - shows the apathy that many managers take towards IT security", he added.
The SecurEnvoy CTO went on to say that, in his opinion directors should not ignore offers for a free security audit - especially after arousing the interest of the ICO's staff - "they need to embrace the IT security needs of their company", he noted.
What many people do not realise, he explained, is that companies are legal entities in their own right and, as such, have their own rights under the law.
This is, he says, what the Companies Act and other legislation seeks to lay down in the law books.
Unfortunately, adds Kemshall, it is only when a company goes to the wall that questions are asked by investors and shareholders, but the cost of remediating breaches of fiduciary duty are quite expensive to pursue through the courts.
Ross Brewer, vice president and managing director of LogRhythm, was similarly scathing, noting that the last year has been punctuated with a number of high profile organisations that have fallen victim to data breach.
"As a result you would think those deemed high risk by the ICO would welcome its help in identifying and resolving any potential weaknesses. However, the behaviour of those refusing audits is indicative of the attitude that led to this situation in the first place", he said.
"Too many organisations are in denial about the scale of the threat and the possibility that they will be affected", he added.
Brewer argues that one of the main reasons these companies are so in need of the ICO's help is that they are unlikely to have taken steps to develop a full understanding of their IT systems.
"All IT networks generate log data that can be used monitor performance and identify anomalies. However, due to a number of factors, including the volume of logs produced and sometimes just plain ignorance, many organisations are not using this crucial information effectively", he said.
"Aside from accepting the ICO's assistance these organisations should be looking to implement centralised, automated systems that provide the traceability required to spot weaknesses and, if aberrant activity does occur, provide real-time alerts so immediate action can be taken", he added.