While data breaches born of malicious attacks grab headlines, more data thefts are caused by employee negligence and computer glitches, according to a report this week by Symantec and the Ponemon Institute.
Almost two-thirds of data breaches in 2012 could be attributed to negligence or human error (35%) and system glitches (29%), reported the eighth annual Ponemon Global Cost of a Data Breach study.
However, malicious attacks remain the single highest cause of breaches, with 37% of the intrusion pie.
Those figures vary by nation, the report showed. For example, Germany had an almost even split between malicious attacks (48%) and negligence/glitches (52%). By comparison, more than three-quarters of the breaches (77%) in Brazil were blamed on human error-system failures.
"Data breaches normally aren't about bad people," Larry Ponemon, founder and chairman of the institute that bears his name, said in an interview. "It's normally about good people making mistakes or business processes that fail."
A common misconception by organizations is that security policies can eliminate human error, said Tony Busseri, CEO of Route1, a maker of security and identity solutions. "We have this expectation that because there's a policy manual and core training, that people are going to execute perfectly," he said in an interview. "They don't.
"We so often focus on the North Koreans or the Chinese or the bad guys, when in reality we create the large majority of breaches ourselves."
Even the lynchpin of a malicious attack can depend on human frailty, pointed out Timothy Zeilman, vice president of Hartford Steam Boiler, a unit of Munich Re, which released a study this week on cyber attacks on small businesses.
"There are a number of ways that cyber attacks can be orchestrated," he said in an interview. "But one of the common ways to do it is to take advantage of some weakness in human nature by getting someone to open an email or do something they shouldn't do if they were mindful of computer security at all times."
The increased presence of employees' personal devices in the workplace is often cited as a potential source of data breaches, but that hasn't shown up much in the Ponemon data yet. "We had some cases that involved an employee-owned mobile device -- BYOD -- but there aren't many of those," Ponemon said.
There were also some breaches among the nearly 300 companies participating in the study involving mobile devices -- tablets and smart phones. "That makes sense because these are computers and they're easy to lose," Ponemon said.
Sign up for CIO Asia eNewsletters.