Indeed, while it may not qualify as a hack, word this week from the Indiana State Medical Association (ISMA) of the "random" theft of a pair of backup hard drives is just one recent example of the threat from those on the inside. The association said the theft meant the private data of 39,090 of its clients may be at risk.
The one thing there is little disagreement about is that the best way to lower the risk is through improving the "security culture" of organizations. Some of that, Ponemon said, can be done through low-tech means like privacy filters for screens and lock boxes for documents. Some of it can be through rewarding employees for spotting security vulnerabilities.
But effective security awareness training is seen as the major key.
Spitzner said human behavior "absolutely" can be changed through training, but won't be through the traditional "death by PowerPoint" lecture, which was done largely to check a compliance box.
"Marketing has been changing people's behavior for hundreds of years," he said. "The problem with us is that training has mostly been done by security professionals, who tend to be some of the worst communicators in the world. It needs to be done by communications professionals."
Hadnagy added that there is still a great need for more, and better, training. "I can't tell you how many times people I train don't even know what a phish is, or a vishing call, or a shoulder surf," he said. "If they don't even know, how can they defend? Education is probably the single most important step to protection any company can have."
Spitzner said if training focuses on how security awareness will benefit not just the company but employees themselves, "then it becomes part of their DNA," and the failure rate drops from 30 percent to 60 percent to less than 5 percent.
And even those in the 5 percent, he said, tend to recognize what they did immediately, and report it to IT. "That's almost as good," he said.
Sign up for CIO Asia eNewsletters.