The IT Policy Compliance Group today released research showing 20 percent of enterprises suffer from more than 22 sensitive data losses per year.

The most sensitive losses include customer, financial, corporate, employee, and IT security data, which is either stolen, leaked, or destroyed, according to the research report entitled "Taking action to protect sensitive data."

The primary channels through which data is lost, in order of risk, includes PC's, laptops and mobile devices, e-mail, Instant Messaging, applications and databases.

Organisations that experience publicly reported data breaches suffer an eight percent loss of revenue.

Compounding the revenue and customer losses are additional expenses averaging $100 per lost or stolen customer record to notify customers and restore data, accordinig to the compliance group which is made up of members from the Computer Security Institute, the Institute of Internal Auditors, Protiviti and Symantec.

The group conducts fact-based benchmark research to determine the best practices that result in improvements to IT compliance results for organisations.

The Institute of Internal Auditors director of technology practices, Heriot Prentice, said preventative measures such as built-in IT controls are vital to ensuring that businesses protect the data they collect.

"It shouldn't be an afterthought, but rather considered up-front in the design of hardware and software redundancy to ensure the information is kept secure and supported throughout the data lifecycle. It's that simple. If you collect it, then protect it," Prentice said.

The benchmark results of the research show that firms with the fewest data losses are identifying sensitive core business data, mitigating user errors, policy violations and internet attacks, and monitoring many different IT controls and procedures weekly.

The first line of defense to protect data continues to be the people who are handling data. Businesses must develop and update policies for sensitive data protection, handling, retention, and destruction that include accountability programs, the report said.

Computer Security Institute director, Robert Richardson, said while some results give cause for alarm, there's also the strong suggestion that some organizations have managed to provide responsible oversight of their data.

"These are organisations we want to applaud and to emulate," Richardson added.

Organizations with the fewest losses are spending more time monitoring policy compliance and are employing multiple IT controls to reduce the loss of sensitive data.

Best-in-class organisations are monitoring and measuring controls and procedures to protect sensitive data once a week, while most firms are conducting such measurements only about once every 176 days.

In addition, these organizations classify IT security and regulatory data as sensitive and take the necessary steps to secure it.