7. Handling breach details sloppily tips off the perp
Another common problem is that companies typically fail to establish a "need to know" approach to breaches, which makes it harder to carry out baseline investigations as workers find out about an incident and immediately try to protect their own interests.
If insiders are involved in the problem, they also gain the advantage of knowing that the gig is up and may stop telltale behavior useful to investigators -- and often try to cover their tracks, Mandia said.
8. Trusting "silver bullet" technology hides real threats
As regulatory measures that involve IT and data security interests continue to multiply, businesses have invested a lot in technological solutions to plug the holes. But companies commonly believe that installing a specific technology or meeting some individual aspect of a regulation is a silver bullet or a quick fix. It's neither.
"The biggest problem I see is people thinking that simple things like deploying anti-virus [software], patching, and running vulnerability scans are actually what it means to be compliant. They're not approaching it from a risk management standpoint -- they're just checking the boxes," said Mike Rothman, an analyst with Security Incite.
Companies often compound this fools' paradise by auditing their limited security fixes and taking a passing grade as confirmation that no more work is needed. "People often think that once they have a positive audit, they're done," Rothman said. "Then the bad guys prove to them that they're not."