Enterprises are investing heavily in compliance and protection against accidental leaks of custodial data, but under-investing in protection against theft of far more valuable corporate secrets, according to a new report from Forrester Consulting, commissioned by Microsoft and RSA, the security division of EMC.

The survey of 305 IT security decision-makers worldwide found that while organisations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly.

According to the study, nearly 90% of enterprises surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations and existing data security policies is the primary driver of their data security programs. Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs.

The study found that secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion.

The firm said that every company surveyed rated its security controls to be equally effective, despite a wide range in security spending, views on the value of information and the number of security incidents reported among the respondents.

Forrester, Microsoft and RSA recommend enterprises to identify the most valuable information assets in the company’s portfolio; create a risk register of data security risks that document specific threat scenarios; assess and reprioritise  the IT security program’s balance between compliance and protecting secrets, and increase vigilance of external and third-party business relationships.