Earlier this week, Symantec released its 19th Internet Security Threat Report. Here’s the upshot: We are terrible at protecting data. 2013 saw 253 reported cyber-induced data breaches – some 22 percent more than the last “year of the data breach,” 2011. Of these, eight exposed more than 10 million identities each.

Are there any unexposed identities left?

Government agencies, proven adept at protecting shores, endangered species, gold bars, and ethanol subsidies, aren’t having much luck when it comes to data. Last week, Greg Wilshusen from GAO told the Senate Homeland Security and Government Affairs Committee that cyber security “incidents” involving personally identifiable information (PII) increased 140 percent between 2009 and 2013 to – wait for it – 26 thousand last year. Twenty-six thousand. That is 71 per day. Every day. Including Columbus Day.

If you think it is bad, it’s actually worse than you think. Turns out that the harder we try, the worse we do. We spent $55 billion on IT security in 2011 and got 208 breaches. We spent roughly $64 billion last year and got 253. We’ve never had more cyber security professionals on watch – and we’ve never lost more data.

At what point do we ask, “Are we looking at this the right way?” If we are failing at data protection (and we are), let’s just assume that the bad guys will get the data if they want it. Then, liberated, we can change the game by changing the ROI:

• Cut the Take: Monetization of stolen identities is already the biggest bottleneck in cyber theft. By reducing the value of stolen PII – by implementing limits, routinely changing account numbers, etc. – we can make that bottleneck tighter and the rewards smaller. Reduce the return
• Increase the Cost: Cyber security shouldn’t focus on preventing access, it should focus on making penetration and exfiltration expensive or time consuming for the bad guys. Use virtualization to create false servers, employ honey traps, add two million false records. Vastly increase the investment that bad guys need to make
• Prioritize What You Must Protect: Stop trying to protect everything. Since no one has done it – even the NSA – it must be impossible to lock everything down. Why try? Lock just one part down. You probably still won’t stop the bad guys, but at least you’ll have a chance
• Call in the Professionals: We keep hearing that security is a barrier to cloud adoption. Why? Because the current systems are so secure? Accept, embrace in fact, that cloud providers probably have better security than you do. There are more small plane crashes than commercial plane crashes every year for one simple reason – trained professionals fare better. Is IT different? Please explain

As every grade school kid will tell you, losing looks much worse when you try to win. Let’s say that you are playing H-O-R-S-E. After 253 lost games – after 26 thousand lost games – don’t you start playing the game differently? Even just a little bit? Please?

**This post has been updated based upon feedback from GAO.**

Feel like sharing something that's Worth the Squeeze? Post a comment below.

Andrew LaVanway provides government budget and policy insight for MeriTalk. A former House Appropriations staffer, LaVanway has been active at the intersection of government and technology since 1996.