Most security breaches caused by careless human error

Security expert David Litchfield analyzed data breaches during 2007 and came up with interesting results:

Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October. This means that a fifth of the breach problem could be solved if companies actively and regularly hunted out such relict documents themselves.

David points out that these numbers are certainly low, since most criminals don't report their activities.

In a related announcement, Chris Walsh reports on two studies that showed:

60-65% of breaches [are] due to lost or stolen media and 15-25% [of breaches are due to data] exposed online.

Here's a table showing this data:

Based on these reports, it's clear the vast majority of data breaches are caused by human error: data custodians inadvertently leaving files exposed to search engines, or else losing storage media (and laptops) containing secure data.

It's tempting to believe that security data breaches result from the hands of evil hackers, secretly using advanced techniques to pry into sensitive and well-guarded computers. Unfortunately, the reality is that most breaches are caused by plain old carelessness.