Midsized companies do a better job protecting their customer information than that of their own employees or their internal intellectual property, a new study found.

Nearly one-third of companies and organizations with 100- to 2,000 employees in the US, Canada, India, Australia, Japan, and Malaysia, say they don't regularly encrypt their employees' bank information, and 43% don't always encrypt human resources files. Nearly half say they don't routinely encrypt employee health information, according to the Vanson Bourne survey conducted on behalf of security vendor Sophos.

And at a time when the US and other governments are trying to nip cyber espionage for economic gain in the bud via talks with China--one of the main offenders of that practice--nearly one-third of midsized organizations aren't routinely encrypting their financial data and 45% say they don't always encrypt their intellectual property.

Encryption remains a big missing link in many data breaches, and apparently, in many organization's security practices. The study found that 44% of midsized companies say they widely deploy encryption, while 43% do so at some level. US companies encrypt the most (54%) and Malaysia (26%), the least. And overall, just 38% of smaller organizations (100- to 500 employees) encrypt widely, while half of larger ones (from more than 500 to 2,000 employees) do so.

Certain vertical industries of course, such as financial services, adopt encryption more widely.

"That companies are prioritizing customer over employee data is not surprising. But it is surprising how much employee data is exposed out there. And [that they are] leaving intellectual property and financial data unencrypted was just shocking to me," says Marty Ward, vice president of product marketing at Sophos.

While some 84% of respondents say they're worried about cloud security, about 39% are encrypting all files they send to the cloud, and 47%, some of their files.

Despite the counterintuitive practice of not widely protecting employee and internal organization data with encryption, there are signs of improvement and gradual adoption of encryption as a routine best practice. "Two years ago, the number of them not encrypting was in the 75% range. The fact that we're going toward the 50-50 range is actually an awareness of their part that they don't want to be [the organizations] in the press" hit by a big breach, Ward says.

And the move toward file encryption versus pure disk encryption is also a positive development, he says.

So why are so many midsized organizations still not encrypting all the (sensitive) things?

Nearly 40% cite budget constraints; 31%, performance tradeoffs with encryption; and 28%, lack of encryption deployment know-how. About one-fifth say they don't have legal or regulatory requirements for encryption, and 19% say encryption isn't effective for locking down sensitive information.

The performance and complexity hurdle arguments are "myths that have been busted," Ward contends. "Encryption is a lot simpler" than it once was, and in many cases, invisible to the user, he notes. But given some of the respondents come from smaller firms with few security resources, the complexity argument isn't surprising.

Meanwhile, the good news is that most of the organizations say they do have plans to more widely encrypt their data in the next one- to two years, the report says.