Still, while our survey illuminates continuing problems, in discovering the problems, we also see a path to safer data for companies that, yes, apply technology but also develop processes and make them part of everyone's everyday work. So it's not all grim. What we have to do now is examine our failings, then act.

The Big Picture: Technology Reigns

Money really is power, isn't it? When asked to indicate any sources of funding for information security, 57 percent of survey respondents named the IT group and 60 percent cited functional areas such as marketing, human resources and legal as major providers. Just 24 percent indicated a dedicated security department budget.

With the IT group a strong force, technology becomes the answer to many security questions. To someone with a hammer, everything looks like a nail, according to the old saw. Divert potential phishing attacks with spam filters. Stymie laptop thieves by encrypting corporate data.

If there's a security tool out there, our survey pool uses it.

Companies have realized they must do a better job disposing of outdated computer hardware, for example, wiping disks of data and applications. Sixty-five percent of respondents now have tools to do that, up from 58 percent last year. More organizations than ever are encrypting databases (55 percent), laptops (50 percent), backup tapes (47 percent) and other media. Use of intrusion-detection software also is up: 63 percent this year compared with 59 percent last year. And installing firewalls to protect individual applications, not just servers and networks, increased to 67 percent from last year's 62 percent.

That's good stuff.

Despite these technology-oriented gains, though, disturbing trends continue in the areas of security processes and personnel—some negate any protection an IT budget can buy. For example, encrypting sensitive data makes good sense, but such technology can't stop an employee from flouting policies concerning how that data should be handled.

If the goal is to secure information, to make it truly safe, you'd better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information, says Dennis Devlin, chief information security officer at Brandeis University. Devlin reports to Brandeis's vice president and provost for libraries and information technology.

Criminal activity becomes the focus of a lot of what we do in information security. Lock down the Wi-Fi to keep out the bad guy. (Got that, TJX?) But well-meaning people who make bad decisions inflict untold numbers of security incidents upon us, Devlin says. He's seen it at Brandeis, since joining last year, and at Thomson Corp., now called Thomson Reuters, where he was chief security officer for seven years.