While companies recognize the value of their data, protectingagainst sophisticated cyber attacks at all hours of the day seemsimpossible. Earlier this month, tech writer Mat Honan made headlines when his entire digital life washijacked and deleted on a hacker's whim. Even IT securityexecutives lack confidence in their ability to protect againstsecurity threats.

“Hackers are very good and very patient,” warns Carolyn Holcomb,leader of the data protection and privacy practice at PwC. “Andthey are in most organizations' systems.”

A survey released by PwC last week noted that there were 1,037publicly reported incidents of loss, theft or exposure ofpersonally identifiable data last year, up 30% from 2010.

Richard Stiennon, chief research analyst at cybersecurityanalyst firm IT-Harvest, saysthat number is only “the tip of the iceberg,” because mostcompanies only report data breaches when required to do so by law.“If you're in banking, oil and gas, or any natural resources, orany legal firm, then you're probably being targeted,” he says.

Hackers are still hunting for financial data, but they're alsogetting more sophisticated. “They are now looking for the person inthe organization who authorizes payroll checks through ACH, orpayments through accounts payable,” Stiennon says. Phishing isstill one of the most common ways that data breaches occur, withhackers targeting employees with access to confidentialinformation, like system administrators and executive assistants,with phony e-mails.

“There are a lot of companies that are either getting attacked[or being hit by] data breaches,” says Janis Parthun, a seniortechnical manager at the American Institute of Certified PublicAccountants. The AICPA's Generally Accepted Privacy Principles provide aframework that businesses can use to develop their own privacypractices. Breaches of customer information like those thatoccurred earlier this year at LinkedIn and Zappos “can impact thecompany's image and their brand,” Parthun says, noting thatcompanies can also find themselves facing fines or regulatorysanctions.

Most IT executives don't feel confident thatthey can protect sensitive data from attack, according to a survey of 100 companies that Stiennon puttogether with cybersecurity solution provider CounterTack.One-third of those whose companies had already been attacked wereskeptical that they could defend themselves against a secondattack, and a fifth of respondents didn't think their organizationwould be able to tell if a file or process had been modified by acyberattack.

The PwC study emphasizes the importance of management andinternal audit to protect against data breaches.

“Everyone is implementing data loss prevention tools,” Holcombnotes, but security risks can still slip through the cracks ifthere is no final responsibility for it at the management level.It's essential to put good governance structures in place and havethe audit committee of the board ensure that processes are beingfollowed.

“I've seen organizations who have organized privacy committees”or established risk committees that deal with privacy at the boardlevel, Holcomb says. The best organizations establish key controlsfor privacy and security just as they do for financial processes. Adefined list of controls with specific people in charge of eachhelps everyone know what their responsibilities are and understandwhat internal audit is monitoring, she says.

And it's not just a once-a-year task. “They should be doingideally a risk assessment and review of policies continuously,”Holcomb says. Data security has become a 24/7 job, Stiennon agrees,and notes that some hackers even target their attacks for theweekend, when everyone has left the office.

According to CounterTack's survey, 19% of companies arecurrently revamping their internal processes and strategies to dealwith targeted cyber attacks. Stiennon says one of the easiest waysto protect your company is simply to make sure you're updating yoursystems. All applications and operating systems announce newvulnerabilities each month. “If you were doing patch managementperfectly, you would have no holes in your system other than veryobscure [threats].”

For more recent coverage of cyber issues, see Cyber Risk Concerns Not Leading to Insurance andChina Hackers Hit Businesses.