Enterprises are woefully underprepared to handle cybersecurity incidents, as 77% of respondents indicate their organization lacks an incident response plan applied consistently across the enterprise, according to a study conducted by the Ponemon Institute and IBM published Thursday. These results are consistent over the last four years of the study, painting a bleak picture of emergency preparedness.

The survey of over 3,600 security and IT professionals around the world found that of the organizations that do have a plan in place, 54% do not test their plans regularly. Emergency preparedness plans, like data backups, are only particularly useful if you test them to know that they work.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

A lack of skilled security professionals is contributing to the problem, with understaffing putting strain on security teams. According to the report, only 30% of respondents indicated staffing for cybersecurity is sufficient, while three quarters rated the difficulty of hiring and retaining skilled cybersecurity personnel as moderately high to high. Likewise, participants indicated they have 10-20 open seats in the cybersecurity team in their organizations.

Throwing security tools at the problem is actually becoming counterproductive, as 48% of respondents indicated their organization has deployed too many separate tools.

Some 23% indicated they used significant amounts of automation in their cybersecurity plans, and respondents from those organizations said they do feel more confident than others in their ability to prevent cyberattacks, at 69% versus 53%.

For more, learn about the 5 IT security roles businesses are most desperate to fill, why vendor security practices are causing heartburn for enterprise pros, and how to prioritize your security efforts.