"That data is now very difficult to access," Osterman says, noting the havoc that could cause in the case of eDiscovery, regulatory audits, early case assessments for wrongful termination or product liability suits and the like. "It's very difficult. Senior managers might not even know that data is there."
The problem is compounded by the fact that many organizations leave archiving and retention up to individual users, Osterman says. With more than 10,000 laws in the U.S. alone that specify retention of different kinds of records, an inability to track documents, access them, put holds on them and expire them could present an enormous risk to the enterprise.
"If we walked into your enterprise today, and we were to profile where your information is, and, more importantly, what of information this is, a small percentage is likely to be records that you must keep, maybe five percent," says Darren Lee, vice president of governance and archiving at security-as-a-service vendor Proofpoint. "A larger percentage would be documents that drive the business, like spreadsheets, maybe 15 to 20%. The remainder that sits out there is information that no longer contributes business value; it's no longer an asset. In the world of an information balance sheet, if it's not an asset, it can only be one other thing: a liability."
"Your own data is strung out across different systems," says SkyDox's Von Weihe. "It becomes increasingly difficult to find the latest version of a document. You lose the capacity for federated search. As a business person, your ability to recycle your own work goes down pretty dramatically when you scatter it across all these different systems."
And yet workers' willingness to turn to insecure channels to collaborate makes it clear that such collaboration must go forward. The Harris Interactive survey found that 83% of employees recognize that it is important to protect intellectual property and keep it secure. But even with that understanding, employees still turn to insecure channels to get their work done.
"What really shocked me a little bit is that they understand how sensitive and critical their IP is, but they're still doing it," says Anthony Piniella, global vice president of corporate communications at IntraLinks. "They just have to do what they have to do. The companies' employees are aware that they're sending stuff that's very sensitive."
"You have to consider how much money a company spends on their infrastructure and security methods behind the firewall every day," Piniella adds, "and then once an employee sends an email, you lose all those capabilities. That's the reality. You can spend billions of dollars keeping your infrastructure safe and compliant, and once an employee sends an email with a document in it, all that money and effort doesn't take into consideration where that document goes."