The IT Policy Compliance Group has released research showing 20% of enterprises suffer from more than 22 sensitive data losses per year.
The most sensitive losses include customer, financial, corporate, employee, and IT security data, which is either stolen, leaked, or destroyed, according to the research report entitled "Taking action to protect sensitive data."
The primary channels through which data is lost, in order of risk, includes PC's, laptops and mobile devices, email, instant messaging, applications and databases.
Organisations that experience publicly reported data breaches suffer an 8% loss of revenue.
Compounding the revenue and customer losses are additional expenses averaging US$100 per lost or stolen customer record to notify customers and restore data, according to the compliance group which is made up of members from the Computer Security Institute, the Institute of Internal Auditors, Protiviti and Symantec.
The group conducts fact-based benchmark research to determine the best practices that result in improvements to IT compliance results for organisations.
The Institute of Internal Auditors director of technology practices, Heriot Prentice, says preventative measures such as built-in IT controls are vital to ensuring that businesses protect the data they collect.
"It shouldn't be an afterthought, but rather considered up-front in the design of hardware and software redundancy to ensure the information is kept secure and supported throughout the data lifecycle. It's that simple. If you collect it, then protect it," Prentice says.
The benchmark results of the research show that firms with the fewest data losses are identifying sensitive core business data, mitigating user errors, policy violations and internet attacks, and monitoring many different IT controls and procedures weekly.
The first line of defense to protect data continues to be the people who are handling data. Businesses must develop and update policies for sensitive data protection, handling, retention, and destruction that include accountability programs, the report says.
Computer Security Institute director, Robert Richardson, says while some results give cause for alarm, there's also the strong suggestion that some organisations have managed to provide responsible oversight of their data.
"These are organisations we want to applaud and to emulate," Richardson adds.
Organisations with the fewest losses are spending more time monitoring policy compliance and are employing multiple IT controls to reduce the loss of sensitive data.
Best-in-class organisations are monitoring and measuring controls and procedures to protect sensitive data once a week, while most firms are conducting such measurements only about once every 176 days.
In addition, these organisations classify IT security and regulatory data as sensitive and take the necessary steps to secure it.
IT Compliance Group managing director, Jim Hurley, says failing to protect IT security and regulatory audit data is like a bank giving away the combination to the vault.
"Instead of securities and cash, these firms are putting sensitive data, customers, revenues and business futures entirely at risk," he says.
The report provides a number of recommendations to improve protection from increasing the frequency of audits to implementing technology to mitigate user errors and policy violations.