By Darren Waters
Technology editor, BBC News website
Some companies are failing to encrypt data
Companies and public bodies are not doing enough to protect customers' data, the UK's privacy watchdog and a major survey of security have said.
The Information Commissioner said that the 94 security breaches reported to him last year was an "alarming" number.
The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.
Firms and public bodies were urged to make data protection a priority.
Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies.
Data had been recovered in only three of the 94 cases, he said.
The material included personal details of UK citizens, including health records.
"The evidence shows that more must be done to eradicate inexcusable security breaches," he said.
Mr Thomas' findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world's largest event of its kind.
The survey was carried out by PricewaterhouseCoopers on behalf of the Department for Business Enterprise and Regulatory Reform.
According to the survey, almost 80% of firms that had reported a stolen computer had not encrypted data on the hard drive.
Chris Potter, from PricewaterhouseCoopers, which compiled the survey, told BBC News that overall attitudes to security had improved in the last 12 months.
"Companies have focused on the areas which have caused them most damage in the past, such as viruses and system failures.
"These tend to have caused the greatest cost in terms of business interruption."
But he said the "biggest concern is around the protection of customer data, which companies clearly want to be good at.
"Sometimes that's not translating into real action."
He said particular threats were around the lack of encryption of data on laptops, the use of USB memory sticks and newer technologies like Voice over Internet Protocol.
"In all these areas the controls are not as strong as they are over traditional threats," he said.
Mr Potter's comments were echoed by those of the Information Commissioner.
Mr Thomas said: "The government, banks and other organisations need to regain the public's trust by being far more careful with people's personal information.
"Once again I urge business and public sector leaders to make data protection a priority in their organisation."
For Peter Yatt, head of information security at risk consultancy Control Risks there needs to be a major shift in employee attitude before organisations can claim to be watertight.
"Our own survey found that 40% of employees are happy to talk about their credit card details on the phone at work and not even think about it. You used to be able to protect firms with firewalls but those days have gone now," he said.
Data lawyer Susan Hall believes that having a policy on data security is no longer enough.
"Having a policy is as effective as rubbing lemon on your face if people aren't taking notice of it. It's got to be a case of a complete buy-in from the top to the bottom of an organisation," she said.
Organisations are struggling to control their data because they do not want to damage relationships with employees, she said.
"A gatekeeper mentality is difficult because employers don't want to say that they don't trust thier employees with their data," she said.
Of the total reported to the commissioner, 62 security breaches were in the public sector, 28 were in the private sector and four in the charity or third sector.
Of those reported by public sector bodies, almost a third happened in central government and associated agencies, and a fifth in the NHS.
According to the PricewaterhouseCoopers report, fewer companies today are encrypting data on laptops than two years ago, despite a recent spate of high-profile instances of laptop losses with unencrypted information.
Mr Potter said: "We have seen in successive surveys that companies tend to be very good with preventing yesterday's problems. Companies need to say on their toes to make sure they are addressing tomorrow's problems."
The report found that the number of attempts to hack into company networks had risen dramatically over the last two years.
"What is a really big concern is the proportion of large businesses that say hackers have got into their networks," said Mr Potter.
Two years ago one percent of large businesses reported a hacker penetration compared to 13% in the current report.
The survey also said that figure was likely to be under-reported because many large firms did not admit to successful hacks on their networks.
Security breaches cost UK business roughly several billions pounds a year, said the report.