Ina survey of large enterprises, 64 percent of more than 1,100 senior IT executivesbelieve that simply meeting cybersecurity compliance requirements, as opposedto striving for best practices, is “very” or “extremely” effective atpreventing data breaches.

Thiscontradicts many security experts’ warnings that compliance standards do notconstitute acceptable levels of cyberthreat prevention. Additional stats fromthe survey, detailed in a 2016 “Data Threat Report” issued yesterday by 451 Research and Vormetric, appear to bear out these experts’ concerns. Indeed, 61percent of survey-takers confirmed their organization has experienced a breachin the past—22 percent within the past year. This 61 percent figure representsa three percentage point increase over last year’s version of the survey. Thepercentage of execs that cited compliance as highly effective also rose from 58percent last year.

“Beingcompliant doesn’t mean you’re secure. I just think old habits tend to die hardin security and it’s going to take some time to educate people that they needmore to do more than just check off compliance boxes,” said 451 ResearchSecurity Analyst and report author Garrett Bekker in an interview with SC Magazine.

Bekkersuggested that in some cases, the apparent unwillingness to go above and beyondbasic compliance is because IT security is a “grudge spend. It’s notnecessarily something a CFO wants to spend their money on. It’s kind of likelife insurance,” said Bekker. “It’s always been tough to get funds allocated tosecurity because it doesn’t necessarily give you a tangible benefit.”

Moreover,nearly one-third of IT executives said they felt “very” or “extremely”vulnerable about the safety of their sensitive data. And yet, only 21 percent cited a past data breach as a reason for securing sensitive data, whileonly 27 percent cited recent major breaches at competitors like Sony, HomeDepot or Target as motivation.

The two most popularincentives for spending on IT security were meeting compliance standards and brandprotection (46 percent for both).

On an encouraging note,the third most commonly cited reason to secure sensitive data was to followbest practices guidelines. This response experienced the largest year-over-yearincrease of any answer, from 39 percent to 44 percent—an indication that somebusinesses may be coming around. Also, 58 percent of respondents said that expendituresto protect against data threats would be at least “somewhat higher” thisyear—up from 56 percent in 2015.

Current IT spendingpriorities tended to lean toward classic, old-school network defenses (e.g. firewalls and intrusion prevention systems),which ranked first among intended spending categories at 48 percent. Conversely,products that directly mitigate theft of data in motion and at rest, such asencryption and data loss prevention, came in last (40 percent for data-in-motiondefenses, 39 percent for data-at-rest defenses).

Whilethe report suggests that executives may be spending less on encryption becausetheir legacy hard drives and servers already have such built-in measures,“There’s still room to do more for cloud applications, big data and IoT—things thatencryption isn’t used all that broadly for,” Bekker explained.

The report also found that the biggest internal data threats within business organizations were identified as privileged user accounts such as administrators (58 percent of respondents), and executive management accounts (45 percent, way up from 28 percent last year). Ordinary employees ranked fifth overall, suggesting that it’s actually the policy-makers who are most guilty of flouting their own security policies.

A surprisingly high 43 percent of respondents claimed to have “complete knowledge” of the locations of their sensitive data. The report suggests that executives may be “in denial” about just how much sensitive data they have disseminated across their operations.

The biggest barriers inhibiting the adoption of data security are lack of staff (38 percent of respondents) and lack of budget (35 percent), the study found.