There has been a flood of news about hacker break-ins at companies. But how bad is the situation really?

Significantly worse than the headlines suggest, and getting worse still, a new study from the research firm Ponemon Institute suggests. The study says breaches are rampant and occurring much more often than is publicized.

The firm’s survey of 581 security professionals at large companies in the United States, Britain, France and Germany found that 90 percent of them had at least one breach in the last year and 59 percent had two or more. And the costs are mounting; 41 percent of break-ins cost more than half a million dollars.

Study participants broadly agreed that cyberattacks were getting more frequent, more severe, and harder to detect and stop.

Indeed, hackers are increasingly staging targeted attacks aimed at stealing something specific, said Larry Ponemon, founder of the institute. They study the target, find an opening and then quietly get in and out. Most are mercenaries, members of criminal syndicates or representatives of unfriendly countries, he said, and their attacks “are much more stealthy and much more difficult to identify.”

About 60 percent of respondents said they were able to identify the source of at least some of the attacks suffered by their organizations. They traced 34 percent of them to China and 19 percent to the Russian Federation.

Both countries are known hotbeds of hacking for profit and economic advantage. “China is prolific and noisy,” said the former National Security Agency director Mike McConnell, speaking at an event at the 92nd Street Y in New York last week. “They are literally taking terabytes of data” and focusing on virtually every sector of the economy. Russian hackers are considered especially skilled and known for taking things undetected, he said.

Nearly half of the breached companies surveyed by Ponemon suffered a damaging loss of data, which “speaks volumes about the mindset of the attacker community,” said Karim Toubba, vice president of security strategy at Juniper, which sponsored the survey. The large majority are in it for financial gain and don’t talk about what they do — unlike LulzSec and Anonymous, who are hacking for fun and politics and have been loudly bragging about their activities.

Victimized companies overwhelmingly prefer to keep quiet, too. When they do talk, it’s usually after a loss of consumer information, which is subject to laws requiring disclosure. But most of what is being stolen is corporate information that doesn’t have to be disclosed, Mr. Ponemon said, whether it is intellectual property like design documents or financial information. There’s certainly little reason to talk when, as the Sony case has shown, news of your vulnerability might make hackers hit you harder, customers lose confidence in you and your stock price drop.

As attackers step up their games, defenders are struggling to cope. Security professionals are pessimistic about their ability to prevent hacks; 57 percent said they had little or no confidence in their organizations’ ability to prevent a breach. They’re coming to believe that “maybe the bad guys are getting so good — or so bad — that maybe it is impossible to meet the security needs of the organization,” Mr. Ponemon said.

Respondents are also concerned about insufficient security budgets and say the complexity of modern networks is a major challenge. Corporate networks are growing more unruly and harder to control as employees use more mobile devices like smartphones and tablets, adopt cloud services and log onto social networks, all of which carry security threats. Meanwhile, I.T. departments must manage a growing array of specialized security technologies that may or may not work together to help security departments detect and halt attacks.

“When you put all of this into one big stew, it’s not very tasty,” Mr. Ponemon said.