Despite all the data losses that are filling the headlines and leaving hundreds of thousands of people exposed to identity theft, 40% of companies don't monitor their databases for suspicious activity, according to a study released this week.

And it's not that IT managers don't realize how sensitive the information in these databases really is. Seventy-eight percent of those polled said their databases are either critical or important to their business, with customer data most commonly contained within them.

In an increasingly precarious balancing act, IT professionals said their companies are caught between trying to protect data from misuse by external and internal threats, while at the same time giving greater access to the same data in order to drive business initiatives. The Ponemon Institute surveyed 649 IT professionals -- 60% of whom work in CIO or CTO positions -- about how they are doing with this new balancing act.

"Data can be monetized quickly and the bad guys know it," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a written statement. "Organizations that fail to protect their data effectively are proving easy targets, often left to contend with considerable damage to their reputations and financial results."

The study was released Monday during the Gartner IT Security Summit.

According to Application Security, Inc., which sponsored the study, there were more than 150 million data records exposed in the past two years. By another estimate, 53 million people -- including consumers, employees, students, and patients -- have had data about themselves exposed over the past 13 months.

In the survey, of the 40% who said their companies don't monitor suspicious activity in their databases, some of them admitted that they simply don't know if any monitoring is being done. More than half of these organizations have 500 or more databases -- and the number is growing.

What's IT managers' and CIOs' biggest concern? The dreaded insider. According to Ponemon, 57% said they have inadequate protection against malicious insiders, and 55% aren't protected against a general data loss caused by insiders.

"Unless organizations directly protect their databases, everything else they're doing for data security is on shaky ground," said Toby Weiss, president and CEO of Application Security, in a written statement. "As states and the federal government grapple with how to compel organizations to protect consumer privacy, leading organizations are looking inward to protect data where it lives."