Then, two weeks (to the day) later, Ponemon Institute released another superb study, sponsored by IronKey, this time entitled “Trends in Insider Compliance with Data Security Policies” with the following subtitle:

“Employees Evade and Ignore Security Policies”

If you are tempted to accuse me of collusion or conspiracy here, as if I was actually in on the Ponemon study, hold back! I had no involvement and knew nothing of the impending release. What I did know was the truth: employees evade and ignore security policies!

The study is full of juicy statistics that prove this critical, bottom-line fact.

So, this week’s Tip of the Week is to use good technology to “beat” employees. Not physically (I am pretty sure that’s illegal). Rather, defeat them. I hate to foster an adversarial relationship, but if you set policies designed to protect your business, and the employees undermine them, then in the end you need to employ methods to ensure effective protection.

A big piece of the puzzle is to develop good relationships with employees–the study itself even indicates that as employee good-will rises, non-compliance decreases, as we might expect.

But don’t rely on warm fuzzies to protect your critical data. Use unobtrusive technology designed not to be seen, heard, or messed with by employees. MyLaptopGPS is certainly one example, and IronKey’s own products are more examples.

One recent tip mentioned the central importance of assuming “you’re next” for laptop theft. That alone can put you ahead.

For business owners and policymakers, or managers of larger organizations, this week’s tip is as crucial as ever, and many of these people may be painfully aware of its truth already.

It’s very good to make solid policies. Defining what data is allowed on mobile devices, what data is prohibited, who can carry what, when, and how, what security controls must be in place, and so on, are all excellent policy tasks that simply must be completed.

They also may prove essentially useless when the data goes out the door. Why? Because policies are made to be broken. Employees regularly break policies. They think the policies are burdensome. The technologies interfere or are burdensome as well. The “boss” doesn’t know what really goes on. “My job is already hard enough, and under-appreciated.” The excuses are plenty, but the point is that policies are necessary, and yet are insufficient by themselves.

Assume your employees ignore you. This does not mean you don’t still make the policies or say what you need to say (which can also help you down the road when, not if, policies are broken). But it does change the way you approach technology or policy enforcement. If you assume your employees often ignore your policies or directives, you can take extra measures to help enforce them. For example, this is a primary reason that MyLaptopGPS operates completely without user interaction–it is automatic and is designed never to been seen, felt, or bothered, by an employee. Now that’s one policy enforcer technology that employees can live with.

To be clear, I am not advocating a complete lack of trust among workers. That would really make for lousy productivity–and unfortunately it’s common. But I am advocating a key assumption that will reduce employer “surprise” when, lo and behold, the employees “didn’t do what I said to do.” If a data breach is involved, you’ll be sorrier still. Examples abound.

One assumption made is that your users aren’t putting much sensitive data on their laptops. For example, “we use an SaaS application, so all the data is on the server, so I’m sure our laptops don’t have much sensitive data on them.” This is a classic wrong assumption, since it is very common for employees to either circumvent existing policies (usually because those policies, or the technologies themselves, are obtrusive) or to simply behave in unexpected ways. Using Microsoft Excel to do some numbers crunching outside of the SaaS web-hosted app is a classic example of data that is on the laptop after all.

Obviously users are likely to “lie” if directly confronted, but the basic idea here is to begin by talking to users and examining what really goes on. How this is done will certainly vary by the size of the organization and its culture. At one extreme might be “random seizures” of equipment for examination, and at the other extreme would be a small business owner simply visiting with staff about how to treat data.

It’s a start, and an important one. From there, more thorough policymaking can be done.

PricewaterhouseCoopers released its sixth annual Global State of Information Security Survey 2008, announcing that businesses nationwide have implemented double-digit advances in new security technologies, but the focus of most businesses is on the technology itself rather than its security value.

PWC also said that more than half of surveyed businesses indicated that they do not have an accurate inventory of where personal data for employees and customers is even collected, much less transmitted or stored. About 51% of financial services respondents said that they do not require third party service providers to comply with company privacy policies.

Furthermore, most companies are interested primarily on protecting customer data — which is all well and good, if you have little to no concern for your employees. The survey indicates, “When security breaches occurred, financial services respondents indicated that employee records were just as likely as customer records to be affected.” Also, only 59% of firms indicated that they require data encryption on databases, file shares, and backup tapes. On top of that, 33% of companies do not use laptop encryption.

What this means for all you business owners out there is that your business is not as safe as it could potentially be, and not only your data is at risk: your employees are also at high risk.

Certainly, steps need to be taken to ensure employee information is stored properly, and that data is well-encrypted. Importantly, though, is that in an increasingly “mobile” workforce, laptops need to be protected. A simple encryption is the difference between secure data storage and the complete destruction of a company from the bottom up.

Think about it. Encrypt those laptops. And if you’re not about to go all out and have the tech people in your building encrypt everything, at least be equipped with technology like MyLaptopGPS data retrieval and laptop recovery. It’s the least you can do to protect your company, and your employees, from harm.