According to the report, which assessed 18 firms, some major companies, particularly in the banking sector, have responded well to threats from hackers, fraudsters and phishing attacks, but other sectors and SMEs have a lot to do.
Although financial losses to firms and customers were found to be low, firms could do more to address the potential risks rather than responding to attacks once they have occurred. In particular, said the FSA, senior management needs to take on responsibility for information security, which includes the need for firms' defences to be continuously reviewed and updated to keep on top of the increasingly sophisticated methods used by criminals.
"Hackers and fraudsters are refining and improving their techniques as we speak," said Philip Robinson, Financial Crime Sector Leader at the FSA. "In the fight against fraud, firms will have to run to stand still if they are to protect their assets and those of their customers."
"Having been the target of criminals in recent times, via the internet and other technologies, the major banks tend to have strong defences in place. But there is no room for complacency and criminals will seek to exploit vulnerable points where they can find them, including in other sectors or smaller firms," he warned.
According to the report, traditional threats to information security still existed in some firms because they did not invest adequately in their security frameworks. Some did not properly control employee access rights or user administration in their networks. Legacy systems with poor security design were also identified as a common threat.
Few firms were found to have built relations with the various industry bodies and government agencies that are working to reduce financial crime, and many small-to-medium sized firms were unaware of the support available to them from schemes designed to offer advice on best practice.
The report also highlighted the growing evidence that organised crime groups are deliberately targeting firms to place staff to commit financial crime, particularly identity theft. Firms must vet their staff carefully before confirming their appointment, warned the FSA.
According to the report, firms should also be aware of the risks associated with the use of instant messaging, PDAs and other portable devices with a USB (Universal Serial Bus) connection – one of the main standards for connecting devices to computers - all of which could be used to steal or transfer corporate information.
Such devices could also introduce malware, such as viruses, into the corporate network, and firms should raise employee awareness about the risks associated with connecting personal devices to the company systems, warned the watchdog.
These new threats, the report concluded, have served to remind firms of the need to secure their assets and those of their customers from both internal and external threats. Security awareness campaigns for customers were also identified as an effective defence strategy being used by firms.
"Firms should follow a preventative approach rather than reacting to a situation once it has happened which can be costly and damaging to reputation," said Robinson. "Consumers must also take steps to prevent attacks from fraudsters, by taking care when disclosing their personal details or following the security tips offered by their on-line banking service."
This advice was underlined by the Association for Payment Clearing Services (APACS) last week when, speaking to the BBC, APACS director of corporate communications Sandra Quinn confirmed that in future years customers who did not take reasonable care in dealing with unsolicited e-mail might not be refunded for their losses if they then fell victim to a phishing attack.
"We want to make sure customers know what types of frauds there are and how to avoid being a victim," she explained. "While customers don't know of all the risks, the safety net exists."
"What we have always said is that we won't forever provide a guarantee," Miss Quinn told the BBC.