If your company has suffered fewer than three breaches of sensitive data in the last year, congratulations -- you are in the top 10 percent of security organizations in the U.S.

That's the conclusion of a new study that will be unveiled tomorrow by the IT Policy Compliance Group, a consortium of security organizations backed by Symantec. The study, conducted between August and October of last year, surveyed 201 companies of varying sizes about their experiences with data breaches, and their practices for preventing them.

The study found that the vast majority of companies -- about 70 percent -- had suffered between three and 22 breaches of sensitive data in the past year. A whopping 20 percent have experienced 22 or more. "Breach" was defined as unauthorized access of data, which includes loss, theft, and inadvertent viewing.

"What this says is that most companies haven't put all the pieces together yet," says Jim Hurley, managing director of the IT Policy Compliance Group and a former analyst at Aberdeen Group. "A lot of them are attacking the problem from one perspective and missing out on others."

So what's the difference between the top tenth percentile, which were hit by three or fewer breaches, and the other 90 percent of the survey base? Some of the answers may surprise you.

For one thing, there's a difference in the way organizations define their "sensitive data." The least successful organizations define it narrowly as financial and critical business information. The most successful organizations include IT security data and IT compliance data in their "sensitive" lists, according to the study.

"What we found throughout the study was that the organizations that did the best were the ones that paid the most attention to security data, compliance data, and security controls and policies," Hurley says. For example, the most successful organizations are those that not only have gained regulatory compliance, but who monitor and check that compliance as frequently as once a week, he says.

"What we saw is that there is a real benefit to establishing strong controls and policies and maintaining them," Hurley says. "If you think you can protect your data by just encrypting everything, you're mistaken."

How do the breaches occur? The top three causes are user error, violations of the corporate security policy, and Internet hacks and attacks, the study says. "But it was interesting, because we found a whole range of other causes that are less frequent, but still have an impact," Hurley says. "Most companies focus mostly on just the top three." Employee malfeasance, insufficient auditing, and insufficient controls are among the areas that many companies overlook, he says.

The origins of data breaches were no great surprise. The most frequently cited losses emanated from PCs, laptops, and mobile devices, followed by leakage via email or instant messaging. Many companies also reported breaches through applications and databases, the report says.

The ITPCG also offered a preview of data it will be releasing in its next study, which focuses on the financial impact of publicly disclosed data breaches. According to that study, companies that suffer a public breach lose an average of 8 percent of their customer base, and show a corresponding decline in revenue. In addition, those companies incur costs of approximately $100 per lost record due to the time and effort required to notify customers of the breach and restore customer data, Hurley says.

Aside from focusing greater attention on policies and controls -- such as monitoring security and usage logs -- companies should take steps to reduce human errors, the report advises.

"It's more than just user training, it's making users accountable for their actions," Hurley says. One company Hurley interviewed has instituted a compensation plan that depends, in part, on maintaining security, he reports. "If there's a breach, the employees don't get their commissions," he says. "I think a lot of companies would be surprised at how much they could improve security with the right carrots and sticks."

An executive summary of the report can be found here. Users must register with the ITPCG to get a full copy of the 32-page study.

— Tim Wilson, Site Editor, Dark Reading