The lack of attention paid to protecting data is especially dangerous because of the widely distributed nature of corporate information and the myriad ways in which it can be accessed, he added.

"I don't know if anybody can honestly say they have thought of every single way someone can pilfer data," O'Pry conceded. But it pays to put controls around some of the more obvious ones, he said.

One of the simplest steps is encrypting sensitive data on all removable and archival storage media to protect against compromises if devices are lost or stolen, said Eric Beasley, an IT security manager at a bank in the Midwest that he asked not be named.

The VA "should have made it so easy and inexpensive for employees to encrypt data on their PCs and have had such a high penalty for not doing it that everyone would have [complied]," said Alan Paller, director of research at the SANS Institute, an IT security research and training firm in Bethesda, Md.

O'Pry said that restricting the ability of end users to attach removable media, such as USB thumb drives, external hard disks, and DVD and CD burners, to their systems is another relatively straightforward way to lessen the risk of information leaks. "Every company faces removable media issues," he noted.