Out of 454 companies, primarily in the United States, only 13 percent were found to be leaders when it came to protecting their corporate data—defined as companies that suffered three or fewer incidents of data loss or theft in a year. Almost all (96 percent) of these companies also came out nearly clean in annual regulatory audits, with three or fewer compliance deficiencies they had to address.

The reverse holds as well. Sixty-four percent of "compliance laggards" (companies with more than 16 compliance deficiencies) had the worst records for data loss and theft: more than 12 incidents a year.

IT provides the connection between compliance and data security. For 88 percent of companies considered "normal" or "lagging," the top 10 compliance deficiencies are mainly IT-related. These include insufficient system access controls, security policies and IT change management.

What are the leaders doing right? The study noted several common practices:

• Safeguarding IT security data is a top priority. Companies with the most data losses made protection of IT security information among their lowest priorities.
• Leaders assiduously document configuration and application changes.
• They spend more time trying to protect information and prevent data breaches.
• They also audit and assess their procedural and technical controls more often-on average, every 19 days.