The vast majority of threats to data security caused by employees, outside consultants or business partners are not malicious attacks, but accidents stemming mainly from a lack of awareness.

And, as Rit Kilroy, CIO of Boston-based Massachusetts Development Finance Agency (MassDevelopment) points out, it’s vital to make security part of the daily routine.

The first step for most companies, no matter the industry, should be to create a written IT-related security policy, and take steps to ensure employees and consultants know about it. Kilroy says it’s a good idea to keep the policy as short and as simple as industry regulations allow.

"A policy should fit on one page for someone to keep it handy and use," says Kilroy.

MassDevelopment is the state of Massachusetts’ finance and development authority. It works with businesses, financial institutions and local officials to stimulate economic growth in the state. Last year the authority financed or managed 211 projects representing investments of more than $2 billion.

That’s a lot of people and a lot of sensitive financial information. Kilroy says reminding employees and consultants about security often and in a variety of ways —such as e-mail, printed materials, employee portals, remote-access login screens, and training programs—is also a good idea.

Companies that create an atmosphere in which people understand their individual role in protecting data can reduce some of the risks to persistent, ever-changing information security threats.

"We have a significant number of policies in place," says Christopher Rieder, CIO of Parexel International, a biotech and pharmaceutical services organization with g lobal headquarters in Waltham, Mass. "And we make sure our employees review them periodically—especially when there's a change or when we feel employees need a refresher."

In addition to policies and technical solutions, companies should limit access to sensitive data, and limit access points—such as prohibiting use of personal computing devices. Then work to help employees and consultants understand their responsibilities, so the policies and access limitations feel relevant.

Rieder says Parexel does a good job of developing and explaining their policies, so there aren’t many questions.

"Only occasionally do we have an individual ask about our policies and it's usually because the employee wants to understand why we are so specific about a particular issue," says Rieder.

More and more companies are taking steps to reduce the risk of security breaches by keeping IT security on everyone's mind, every day.

And, by creating a culture of security in which management understands security is a strategic issue, not just a technology issue, employees, consultants and business partners know they have a personal stake in protecting the company and its data.

Manya Chylinski is a freelance writer based in Boston.

Related Content
6 burning questions about network security
IDC Research: Big companies want small devices secured