IT departments have been under a great deal of pressure around the office in recent years as employees demand access to innovation and executives expect faultless security. A new report from the Society of Corporate Compliance and Ethics (SCCE) suggests that their colleagues may be falling well short of their own high expectations, as researchers found that approximately two out of every three data breaches can be traced back to lost paper files or portable memory devices.

"Once again we find an overwhelming number of data breaches are caused by employees' poor handling of paper and devices," SCCE chief executive Roy Snell explained. "If we put as much effort into our internal compliance program as we do in technical security we would be more effective at preventing data breaches."

Aside from the source of these security missteps, the incident rate was cause for concern as well. Of the 450 compliance and ethics professionals surveyed, 59 percent revealed that their organizations had suffered a data breach within the previous year. What's more, 37 percent of those respondents were struck multiple times in those 12 months.

Reversing the trend
Although recent news coverage might lead companies to believe their technical prowess would be the key to data protection, the SCCE study seems to suggest that establishing a unified governance structure including paper and digital assets is still a stumbling block for many. As a result, organizations must realize that security and compliance are not strictly the domain of IT personnel.

In a recent interview with InformationWeek, Online Trust Alliance executive director Craig Spiezle suggested that he has routinely identified internal miscommunication as the root cause of vulnerabilities - both in his work with small independent firms and large government agencies. Although IT teams certainly have a part to play in policy design and enforcement, each task would benefit from close collaboration between IT, business, legal and human resource departments.

Continuing with his focus on fundamentals, Spiezle also suggested that organizations review their data encryption practices during this time. Inappropriate or misaligned applications of the technology can be as damaging as instances in which it is forgotten. If certain sensitive information is left without this cloak of protection, or access credentials are wrongly distributed, data encryption software investments can quickly be spoiled.