The analyst said that such incidents are causing many enterprises to reconsider their data protection policies and look into new security technologies, but few companies are taking a comprehensive approach to addressing the problem of information security and are instead focused on potential return on investment (ROI) -- a serious mistake, he said.

"Companies are trying to do ROI analysis to decide what they need to spend or what they'll lose in an incident, but that's a silly way to do it. The estimates that are out there for the cost of a breach are mostly worthless because they can't take into account the long-term effect," Mogull said.

"What they really need to do is find where the data is and how it is being used in their business and try to create smarter policies," he said. "Trying to piece things together after an attack has already happened clearly isn't going to cut it."