Some of the worst security breaches occur because a business was too lazy or too lax to properly protect its data. And too often, those breaches come from inside the company.
For example, an employee who has access to private database information leaves the company, but the IT department doesn't immediately shut down the former employee's user ID and password. Employees share information with others who don't have proper clearance. Computers are left unprotected in public areas. You get the picture.
The health care and health insurance industries are among the worst offenders, even though Health Insurance Portability and Accountability Act (HIPAA) was enacted in 2005.
Have you considered a conducting a security audit in your company? The security audit will determine how well your IT security is working and what yet needs to be done to improve it.
An Arcane Security blog post stated it well:
"Security audits help senior managers and especially CSOs to identify the weak points in their architecture. Having such information at hand, senior managers can develop a better mitigation plan, and spend only the money required to fulfill the plan. This gives them greater control of the money expenditure and thus no budget is lost in mitigating small risks. We must always remember that security is all about protecting critical corporate information."