Sometime the data loss is inadvertent. In the BYOD era, people might leave their company without even realizing that they are taking information with them in the form of cloud or mobile apps.
Then there are those who do it maliciously, who might actually want to harm their employer or get a leg up in their new job with a competitor. But Osterman says that this is a relatively small group, amounting to about 5 percent to 10 percent of the total incidents of data loss.
Still another group takes data knowingly, but not thinking they are doing anything wrong. That could include salespeople, for instance, who feel entitled to take the contacts they worked so hard to develop, an asset they might feel that they own.
What to do about data loss
Experts say that the first issue to be settled is who owns the content. That's where employee contracts need to be established up front, so that everyone agrees about who owns Twitter followers, sales lists and other assets, Osterman says.
Next is to implement some sort of monitoring. That may be a behavioral analytics initiative to understand what employees are doing on a regular basis, making it easier to spot aberrant behavior. If there is a massive download from the CRM database at 2 a.m. on a Sunday, something might be off.
The easiest tech solution is to prevent copying data onto USB thumb drives. That was how both Chelsea Manning and Edward Snowden stole military and government information that was later leaked to the media. There is technology to prevent it, or at least to alert management of the copy.
Firms are also advised to get a grip on shadow IT. Krishna Narayanaswamy, chief scientist with the cloud-security firm Netskope, says that a typical firm has more than 1,000 cloud apps running across all categories, but of those, maybe between 5 percent and 10 percent are known by IT. The rest are unknown.
"So it's very easy - and we see this quite often - to download data from a sanctioned app," Narayanaswamy says.
Kelley argues that companies need to get more assertive about preventing data loss, beginning with limiting access to various data assets. Stricter access policies could prevent someone in sales from reaching high-value engineering drawings or formulas that have nothing to do with their job, for example.
Stricter data policies and constant monitoring
With those policies in place, firms must continue to monitor their data. That means being able to answer questions like who is accessing the data, how often, and whether they have a legitimate business reason to do so.
Finally, security experts urge companies to get more aggressive about locking down their PCs. That could mean preventing employees from writing data to USB drives, barring unauthorized cloud apps, and restricting the use of personal email, since it's all too easy to send out a data file as an attachment in Gmail.
Sign up for CIO Asia eNewsletters.