Most data breaches are caused by mundane events such as employees losing, having stolen or simply unwittingly misusing corporate assets, a Forrester Research report has found.
After questioning over 7,000 IT executives and ordinary employees across North America and Europe, 31 percent cited simple loss or theft as the explanation for data breaches they had experienced, ahead of inadvertent misuse by an employee on 27 percent.
External attack was mentioned in 25 percent of cases with abuse by malicious insiders on 12 percent. The same selection of causes was cited at much lower levels for business partners.
"Whether their actions are intentional or unintentional, insiders cause their fair share of breaches," said the authors. "Other common sources of breach include loss or theft of corporate assets, such as laptops or USB drives, and external attacks that target corporate servers or users."
Predictably, the arrival of mobile devices and the consumerisation of IT hasn't helped matters.
Most organisations formulate policies for securing mobile devices but, paradoxically, lack enough tools to enforce them.
Thirty-nine percent worried about a lack of data leak prevention on mobile devices, with half concerned about the consequences of old-fashioned theft. Thirty percent thought there wasn't sufficient separation between consumer and corporate data on mobile devices.
The commonest form of mobile device security is password entry plus remote lock and wipe with almost a quarter admitting they haven't started using any form of data protection at all.
"It's not simply just a matter of having the appropriate tools and controls in place. It's worth noting that only 56 percent of information workers in North America and Europe say that they are aware of their organisation's current security policies," said the authors.
When data is breached, personal (employee and customer) data accounted for 22 percent of cases reported, with IP not far behind with 19 percent and user credentials such as logins in 11 percent.
Forrester's findings probably confirm a simple maxim that data breaches are often accidental rather than malicious. What it doesn't speculate on is whether internal breaches are necessarily the most serious.