“Your security is as good as your weakest link,” says Vimal Solanki, a McAfee executive. And unfortunately, a company’s weakest leak is all too often its own employees.

He points out that black hat malware writers get a lot of headlines. Companies work constantly to secure the perimeter, knowing that attempts to compromise the firewall are ceaseless.

But the enemy is within, too. Employees – however innocently – often create the greatest security problems. Laptops are lost. Emails with sensitive data are accidentally sent. Confidential records walk out the door stored on that fortress-like security device, the iPod.

The dangers of unintentional data loss have been understated, Solanki tells eSecurityPlanet.

Related Articles
The Many Myths of Endpoint Security

IT, Security and the Legalese of Compliance

Restoring Online Privacy

Security Flaw Could Ground Wi-Fi Users

FREE IT Management Newsletters

In fact, as much as half of all security issues may be the result of employees’ unintended data loss, he says.

A new report by McAfee finds that security blunders – completely accidental – resulted in a tidal wave of sensitive information being distributed. For instance:

Last year, a Cal State, Los Angeles employee’s USB drive was inside a purse stolen from a trunk. It held personal data on more than 2,500 students and program applicants.

In 2006, the Republican National Committee accidentally e-mailed a list of donors’ name and social security numbers to a New York Sun reporter.

Hertz Global Holdings said that it dropped a prominent financial services company from its underwriting team after several e-mails discussing its $1.5 billion IPO were inadvertently sent to about 175 institutional clients.

Veterans groups filed a class-action lawsuit against the U.S. Dept. of Veterans Affairs after a laptop was stolen from an employee’s home. It contained Social Security numbers and birth dates for 26.5 million veterans and their spouses. None of the data was encrypted, and the employee had been routinely taking home confidential data for at least three years.

In 2005, a U.S.-based credit card processing company failed to secure customer data, leading to millions of dollars in purchases by fraudsters. The breach affected more than 40 million accounts.

Not So Innocent

When it comes to employee security breaches, the study finds that not all leaks are so innocent. For instance:

• A hospital employee in Lacrosse, Wisconsin was convicted of using patients’ personal information to apply for credit cards.

• In 2006, industrial espionage charges were filed against a Chinese-Canadian engineer for theft of military training software.

Next page: "I'll Just E-Mail to Myself"