The vast majority of threats to data security caused by employees, outside consultants or business partners are not malicious attacks, but accidents stemming mainly from a lack of awareness.

And, as Rit Kilroy, CIO of Boston-based Massachusetts Development Finance Agency (MassDevelopment) points out, it’s vital to make security part of the daily routine.

The first step for most companies, no matter the industry, should be to create a written IT-related security policy, and take steps to ensure employees and consultants know about it. Kilroy says it’s a good idea to keep the policy as short and as simple as industry regulations allow.

"A policy should fit on one page for someone to keep it handy and use," says Kilroy.

MassDevelopment is the state of Massachusetts’ finance and development authority. It works with businesses, financial institutions and local officials to stimulate economic growth in the state. Last year the authority financed or managed 211 projects representing investments of more than $2 billion.

That’s a lot of people and a lot of sensitive financial information. Kilroy says reminding employees and consultants about security often and in a variety of ways —such as e-mail, printed materials, employee portals, remote-access login screens, and training programs—is also a good idea.

Companies that create an atmosphere in which people understand their individual role in protecting data can reduce some of the risks to persistent, ever-changing information security threats.

"We have a significant number of policies in place," says Christopher Rieder, CIO of Parexel International, a biotech and pharmaceutical services organization with g lobal headquarters in Waltham, Mass. "And we make sure our employees review them periodically—especially when there's a change or when we feel employees need a refresher."