Concerns over data security continue to haunt organizations, with the vast majority of global companies indicating they feel vulnerable to data threats.

The worry is justified, according to a new study, as too many organizations focus on compliance ahead of breach prevention; and invest in technologies that do not prevent data breaches.

Those are among the findings of a study by 451 Research and Vormetric, a leader in enterprise data security for physical, virtual, big data and cloud environments.

The 2016 Vormetric Data Threat Report, the fourth annual study of IT security trends, which polled 1,100 senior IT security executives at large enterprises worldwide. The study looks at thee rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans.

Among the study’s findings:

• Roughly 39% of respondents indicated their organization has either experienced a data breach or failed a compliance audit in the past year -– and nearly two-thirds (61%) have been breached at some point in the past

• 63% of U.S. respondents believe privileged users are the most dangerous insiders, up from 59% last year and almost 2X the number of 2013

• Globally, more than 70% of respondents felt ‘concerned’ or ‘extremely concerned’ about the potential ramifications of attacks on the cloud

“Critical findings illustrate organizations continue to equate compliance with security in the belief that meeting compliance requirements will be enough, even as data breaches rise in organizations certified as compliant,” the study reported. “Investments in IT security controls were also shown to be misplaced, as most are heavily focused on perimeter defenses that consistently fail to halt breaches and increasingly sophisticated cyberattacks.”

“Compliance does not ensure security,” said Garrett Bekker, senior analyst, enterprise security, at 451 Research and the author of the report. “As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen. But we found that organizations don’t seem to have gotten the message, with nearly two thirds (64%) rating compliance as very or extremely effective at stopping data breaches.”

“Organizations are also spending ineffectively to prevent data breaches, with spending increases focused on network and endpoint security technologies that offer little help in defending against multi-stage attacks,” added Bekker. “It’s no longer enough to just secure our networks and endpoints.”

Global Considerations The report also finds significant differences in the primary drivers for data security strategies around the world:

• Compliance requirements were top drivers in the U.S. (54%), Australia (51%) and Germany (47%)

• In Japan, requirements from business partners, customers or prospects were the highest priority (50%)

• Reputation and brand protection were the most important spending drivers in the U.K. (50%) and Mexico (58%)

Some of the greatest differences identified were in planned spending increases on data-at-rest defenses, the most effective solutions for protecting data from multi-phase, multi-layer attacks. These differences suggest again that many organizations are less concerned about preventing data breaches than they are with checking the compliance box, Bekker explained.

Perceptions of risk from cloud and privileged insiders continued to increase around the globe from last year, Bekker notes, while the perception of risk from mobile devices decreased as organizations started to recognize relatively small volumes of sensitive data reside on these devices.

• 63% believe privileged users are the most dangerous insiders, an increase from the rate of 57% measured last year

• 44% consider cloud environments a “top three” risk for loss of sensitive data, up from 40% the previous year

• Perceptions of risk from big data implementations dropped from 25% last year to 20% this year