Companies skip this security check, though, because it's expensive and time-consuming, says PwC's Lobel. Checking out a partner's security and privacy practices would take at least one full-time employee at least two days for the smallest company, he estimates. "A large company may have literally thousands of partners," he says.

Protect Information, Not Just Systems

Where data is and where it's going constantly worries information security managers. Thirty-eight percent of the managers we surveyed said they experienced one to 49 security events in the past year, and another 35 percent say they don't know whether they have been hit. Those figures are close to last year's results.

Among those in our survey who experienced incidents, 39 percent found out about them via server or firewall logs and 37 percent used intrusion detection or prevention systems. But a significant number—36 percent—say a colleague clued them in. These figures reflect an unchanging trend showing that the human element is just as important as any technological one when it comes to good security. More evidence of the need for diligent and repeated employee training.

Investing employees with responsibility for keeping data correct and protected is the best way for a company to guard against security threats, says Tim Stanley, CISO at Continental Airlines.

Stanley wants to categorize every file in the enterprise by three variables: owner, business value and risk level. The government has "top secret," "secret" and "confidential" ratings, but Continental's designations will be more granular and dynamic, using tiers and subsets of tiers. Thinking this way vaults Continental ahead of most companies. Just 24 percent report that classifying the business value of data is part of their security policies. While 68 percent classify their data according to risk level, at least periodically, 30 percent don't ever do it.

The complexity of such a project explains the low numbers, Lobel says. "Doing this project is a lot of effort, and unless there's a regulatory need for it, many don't do it."

Stanley expects the project to take three or four years. "Anything that keeps planes in the air and money coming through is Tier 1," Stanley explains. That would include information about crew scheduling, and cargo and fuel needs, as well as credit card processing information. Tier 2 or 3 is still important to protect, but not critical to keeping planes aloft, for example, providing employees access to their 401(k) accounts.

Security technology and procedures will correspond to the risk and tier level in which a given piece of data falls, as defined by the data owner. Tier 1 might mandate twice-a-day backups and two-factor user authentication, he says. "I can expend my resources more appropriately to our data's value and therefore save the company money," he says. "Stop spending $10 to protect $5 worth of data." Music to an airline CEO's ears, no doubt.