Data loss prevention (DLP) software often leaves companies with a false sense of security, because it cannot detect vulnerabilities that are caused by the way employees conduct their day-to-day business. After a company builds and implements an information management policy it is often left to individual employees and departments to interpret and incorporate these policies into their work processes; the result is employee practices that look dramatically different from company policies.

When the security of personally identifiable information (PII) is at stake having a solid policy in place is important, but understanding how employees are doing their jobs is also a vital part of records security that is often overlooked, or completely undetected by DLP. The impact of risks resulting from employee process was illustrated recently when an external drive containing medical records and other PII for 15,500 patients of Kaiser Permanente in Northern California was stolen from an employee’s vehicle. A comprehensive inventory of a company’s confidential information and the management processes around that data, is the foundation of any solid data protection strategy.