We all have security policies at our companies, right? Well? Not everybody’s raising their hands. We all know better, we all know we’re supposed to have one, but somehow it gets put on the back burner. And it would seem that once we finally do get around to creating one, there are two big problems: First, there is no enforcement, and second, nobody knows about it.

According to a recent Cisco-commissioned study on data leakage, there are lots of employees that do not adhere to security policies. The reason shown is surprising. It’s not because the employees are intentionally circumventing policy, or because they are engaged in some sort of subterfuge. It’s just because they’re not aware of it. In other words, the IT staff created the policy and then forgot to tell anybody about it.

Rigorous email security starts with policy–a written policy that is enforced and made public. But on the “made public” side, let’s face it–employees ignore emails from the IT department. Most of them are meaningless to the vast majority of staff members. Even I regularly get emails from the IT department about some sort of update, telling me that the network’s going to be down at 3AM, and for the most part, I glance over them quickly and then delete them. Those emails you create to tell everybody about your policies are going to suffer the same fate.

According to the study, 23 percent of respondents do not have a standard security policy at all. Many of the policies that do exist are outdated or inadequate, and this may be due to the increasing mobility of the workplace. It used to be easy to implement a security policy when you knew where the corporate boundaries were, but today, there are no boundaries. Old security policies may be in direct conflict with the realities of modern-day corporate mobility, and may need to be revisited.