Many organizations believe the development of policies and processes, placing them in an attractive binder, and handing the binder to auditors and the board of directors is reasonable and appropriate security. Employee awareness of the policies and processes and the business objectives they represent is lacking, as is the existence of a consistently applied set of sanctions for non-compliance. Human nature drives employees to practice old habits until a reason to change presents itself. Management must provide that reason to change.

To support awareness training and sanctions, management must implement controls to collect and review employee activities. Controls are not always based on technology, and often include administrative (e.g., audit reports, management review, rotation of duties, etc.) or physical safeguards. In any case, employee actions that security controls should identify and investigate include:
• Transferring large amounts of sensitive information over or to any media
• Transferring any amount of sensitive information over or to any insecure media
• Violation of segregation of duties policies and processes
• Violation of least privilege policies and processes
• Failure by IT staff to apply system hardening principles to servers and endpoint devices

This isn't a complete list of activities to monitor, but they represent the greatest data compromise risks to businesses.
Failure to act on data security policy spells huge trouble for any organisation that feels they are safe because they have a very nicely written and packaged “security manual”.