Expert: It Takes a Village to Prevent Data Loss

By Greg Wright Jan 21, 2009

Each year, companies spend millions of dollars on computer software and hardware to keep hackers from stealing their secret data. However, as data breaches continue to rise—more than 50 percent during 2008 alone—at least one expert says the best tool in preventing data leakage might not be technology, but employee behavior.

“Dealing with the people factor is often a forgotten step or one considered less important than a technological solution,” said Jonathan Tait, product marketing manager at Sophos, an information technology security and control company based in the United Kingdom.

“Everybody in the organization needs to be part of the solution,” Tait said, and that includes HR departments.

Data Breaches Rising

The rising tide of data security breaches is putting companies and their customers at risk of losing proprietary data and becoming the victim of identity theft.

According to figures released Jan. 6, 2009, by the Identity Theft Resource (ITR) Center of San Diego, a nonprofit group that works to prevent identity theft, businesses, educational establishments and governments recorded nearly 50 percent more data breaches in 2008 than in 2007, exposing the personal records of at least 35.7 million Americans.

The center discovered that the percentage of breaches attributed to data theft from current and former employees more than doubled from 7 percent in 2007 to nearly 16 percent in 2008.

Since 2005, more than 246 million records containing sensitive personal information—including names, addresses and Social Security numbers—have been stolen, lost or released accidentally, according to the Privacy Rights Clearinghouse, a consumer advocacy group.

"This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders," Linda Foley, ITR’s co-founder, told The Washington Post. "As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent."

Even large companies and government agencies have fallen victim. The Starbucks coffeehouse chain in November 2008 lost track of four laptops that held the personal information of 60,000 current and former U.S. workers and about 80 Canadian workers and contractors. A month earlier, the U.S. State Department said, a ring of thieves obtained confidential information from passport applications. The criminals could use the information to activate credit cards stolen from the mail, according to the State Department.

Educating Employees Is Crucial

Tait gave companies advice on how to prevent data security breaches during a December webcast hosted by SC Magazine, which covers information technology security. Installing computer firewalls to prevent hacking and encryption software to stop thieves from culling data from lost laptops and other portable electronic devices is crucial, Tait said.

However, getting employees onboard is just as important, he said. More companies are giving employees portable devices that allow them to work remotely. These devices include laptops, BlackBerrys and “thumb drives,” small, portable electronic storage devices that users can put on their key rings.

Security breaches occur frequently when employees lose this gear. About 70 percent of all company data is stored in end points such as computer hard drives and portable drives, Tait said. According to Forrester Research, more than half of the largest U.S. corporations have lost data in the past two years through the loss of storable data devices such as USB drives alone.

“They are not malicious attacks, if you will,” Tait said. “But they continue to happen on a weekly and monthly basis.”

There are things companies can do to minimize the chances that their workers become data security risks:

  • Educate employees about the acceptable use of information technology and the value of data to the company. This policy should include what can and cannot be done with company electronic equipment, information and data.
  • Get everybody involved. All employees—not just information technology staff—should help set policy on the proper use of company information and data, Tait said. That includes the human resources department, legal, sales and other areas that use the technology on a daily basis.
  • Don’t forget e-mail. About 97 billion e-mails are sent worldwide each day, Tait said. Let employees know what information and files are acceptable to send by e-mail. In this age of high work mobility, many employees e-mail data to their home computers or laptops so they can work outside of the office. However, employees could send these e-mails and attachments to the wrong address accidentally. And their home computer or laptop could be vulnerable to hacker attack.
  • All electronic security steps should make it easy for employees to do their work. “The biggest challenge of data-loss prevention is the balance of meeting the regulated requirements and not affecting the day-to-day running of your business,” Tait said. “Tightening the reins across the board will probably limit business growth.”
  • Avoid confusion. Create rules for data use, set them, and forget them, Tait said. Then you will not frustrate employees by going back and changing them continually, he explained.

Risk of Social Sites

More Americans are using social networking sites such as Facebook, MySpace and Twitter. Employees who use these sites could put their companies at risk, but not necessarily because of leaked data, Tait said.

Employees can go on these web sites and write innocently about work activities, meetings or the people they interact with during the day.

Remember that old saying, “Loose lips sink ships”? Tait said employees who use these web sites could end up giving away proprietary information inadvertently that alert competitors could pick up and use against their companies.

Instant messaging can also be dangerous because photos and other files can be sent through instant messages. An employee could attach and send a sensitive corporate document accidentally, Tait said.

“The thing we can control and actually where the problem lies the majority of the time is through accidental leakage,” he said.

Ethics Is Also Important

Nevertheless, HR can help prevent employees from falling prey to data loss by ensuring that there is a multipronged approach in which all employees participate. Not only does it take a village, it also takes chiefs who lead by example, says one HR expert.

“The focus on managing and regulating compliance has taken the place of leadership and example in doing the right thing,” said Professor Marty Val Hill, SPHR, of the Woodbury School of Business at Utah Valley University, and a member of the Society for Human Resource Management’s Ethics Special Expertise Panel.

Interviewed in 2008 about increasing corporate fraud, Hill said that, ultimately, employees need strong leaders in HR and executive roles who practice what they preach in terms of ethical conduct.

“Examples of self-restraint for the social good are harder to find in the headlines today than they were generations ago. It is no excuse, but there does seem to be a correlation here. Some people enjoy justifying personal misconduct because of social norms. Even in education, I suppose, many of us are guilty of grading on the curve in an effort to give our students the benefit of the doubt. Grading on the curve when it comes to compliance and ethical conduct, however, is not beneficial to anyone.”

Greg Wright is a former financial reporter for Dow Jones News Service and Knight-Ridder Financial News, and a technology writer for Gannett News Service/USA Today. He can be reached at


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect