According to new research from IT Governance, a consultancy, two-thirds of employees find a way around security controls, not with any malicious intent, but merely to do their jobs properly.
Calder said he had seen many examples of this happening. For instance, hospice nurses had been forced to print off patient records because their network was unreliable and because restrictions on access meant they could not get to information as quickly as they needed.
In another case, payroll staff were not officially allowed to work from home on their personal machines because the link was not considered secure enough. So they copied files on to USB sticks and took the information home to work on.
"In some circumstances, the USB stick was lost, and was usually unencrypted," Calder said. "Sometimes the home workstation had a nice collection of Trojans and other malware that the user brought back in and infected the corporate system."
He said company boards needed to take a closer interest in data protection and information security, rather than leaving it to the IT department. "Management has to decide on the balance between providing information to people who need it, and the type of restrictions that are necessary to protect it. It means there has to be an intelligent conversation with the people who work with the data."
Those conversations might end up recommending technical solutions, such as whole-disk encryption for laptops or secure access for remote users, but Calder said the answer was to "just think through what the staff members really need to do their jobs, and give it to them."
The survey of 130 technology and compliance professionals took place in February, and the full findings will be published in May by IT Governance. (www.itgovernance.co.uk)