Companies that pass muster in regulatory audits such as those for Sarbanes-Oxley also keep their data more secure, according to a study by the IT Policy Compliance Group. But these leaders are few.\n\nOut of 454 companies, primarily in the United States, only 13 percent were found to be leaders when it came to protecting their corporate data\u2014defined as companies that suffered three or fewer incidents of data loss or theft in a year. Almost all (96 percent) of these companies also came out nearly clean in annual regulatory audits, with three or fewer compliance deficiencies they had to address.\n\nThe reverse holds as well. Sixty-four percent of "compliance laggards" (companies with more than 16 compliance deficiencies) had the worst records for data loss and theft: more than 12 incidents a year.\n\nIT provides the connection between compliance and data security. For 88 percent of companies considered "normal" or "lagging," the top 10 compliance deficiencies are mainly IT-related. These include insufficient system access controls, security policies and IT change management.\n\nWhat are the leaders doing right? The study noted several common practices:\nSafeguarding IT security data is a top priority. Companies with the most data losses made protection of IT security information among their lowest priorities.\n\nLeaders assiduously document configuration and application changes.\n\nThey spend more time trying to protect information and prevent data breaches.\n\nThey also audit and assess their procedural and technical controls more often-on average, every 19 days.