Companies are increasing technology investments to protect against external data breaches, but employees pose a bigger threat than hackers, according to CEB. To mitigate the rising costs of breaches, organizations need to reduce the burden of complying with privacy policies.

Due to the advent of cloud-based productivity tools and the increase in collaboration between employees, more data is changing hands and leaving company-controlled networks than ever before. In fact, almost two-thirds of employees report regularly using personal technologies for work, primarily for the sake of convenience. For example, sending a file from their company computer to a personal email account to work while they are not in the office.

In choosing convenience and productivity over security, employees put sensitive data at risk – and the costs are significant. The average Fortune 1000 company already spends more than $400,000 notifying customers and employees of privacy failures each year, and that’s only for the failures that are reported.

Forty-five percent of internal privacy failures are caused by intentional but non-malicious employee actions.

“While spending on information security has dramatically increased over the last decade, companies are overlooking a bigger cause of breaches – employee behavior,” said Brian Lee, Data Privacy practice leader, CEB. “Investing in technology to improve security is essential, however organizations also need to ensure that employees are doing their part to protect sensitive information.”

“Employees will often work around controls – especially ones they feel are onerous – as a way to make their job easier,” said Lee. “This ‘rationalized noncompliance’ can not only increase privacy risks, but even jeopardize corporate strategy and ultimately growth. Establishing a more balanced approach to information governance – one that complements technological controls with prudent and relevant privacy policies that employees can easily follow – will allow companies to effectively use the information they collect and protect against a damaging data breach.”

To manage employee behaviors that jeopardize data privacy and mitigate associated costs, organizations must do two key things:

Avoid collecting unnecessary data – The simplest way to protect sensitive data is not to have it in the first place. But companies, drawn by big data’s tantalizing promises, often collect too much information or worse, keep data long after its usefulness has passed. There’s a difference between big data and “lots of data,” and organizations need to constantly evaluate how they use data and set guidelines on what they collect and store.

Build privacy into business workflows to make it easier for employees to comply with requirements – The biggest reason why employees choose not to follow required procedures is the level of burden they perceive. To lower that burden, leaders should start by prioritizing processes that handle the most data and data that is most sensitive. Leaders should also identify and address stress points in the employee lifecycle where noncompliance is most likely, such as gaps in leadership or changes in workload, and intervene with information, direction and support for employees before or during these times.