More enterprises are spending more money than ever before on security solutions, yet the amount of data lost, stolen or otherwise compromised is on the rise, Gartner Research Vice President Debra Logan told an audience at the Gartner Compliance & Risk Management Conference in Chicago this week.

However, most of the data breaches aren’t from hackers or internal thieves but from bad business processes and policies. “IT security can only go so far,” Logan said.

Rather than relying on security alone, a company also needs to do a better job of information governance, that is, managing policies and practices regarding company information.

Gartner defines information governance as “… an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information.”

Retention policies are particularly critical when it comes to e-mail, which Logan called a company’s biggest risk for information liability. E-mails are subpoenaed in 75 percent of cases dealing with corporate information. There are no legal reasons and few corporate reasons for keeping e-mail longer than three years, Logan added.

"Information retention projects should always involve house counsel or outside counsel” and IT personnel should provide guidance with their technical know-how, Logan explained.

In establishing an information governance framework, companies must determine what information is valuable, who is responsible for what information and how long information should be retained, according to Logan.

Some companies have started to implement information governance, but too often these efforts are on a department-by-department basis rather than across the entire enterprise, Logan said. For better effectiveness, information governance should be handled company wide.