A recent research project has led me to look at information security and in particular, the root cause of data breaches. In recent years, organizations that have experienced breaches have been forced by law (in many cases) to report the occurrence. Therefore, we've seen a spike in incident reports. Collectively we can all learn from those reports to attempt to prevent similar occurrences in our own organizations.

By far one of the most detailed analyses of data breaches comes from the Verizon Business Risk Team. This group provides a fee-based service to large enterprises to conduct forensics and investigative responses to known breaches. Dating back to 2004, the team has compiled information from more than 500 in-depth investigations where the vendor helped customers determine the cause of a breach.

By the nature of this business, the Verizon investigations were significant cases of computer crime. In other words, the report doesn't cover simple instances of lost or stolen laptops. Rather, the team typically is engaged when the victim company is looking for factual evidence from a forensic investigation that could lead to criminal prosecution. At the very least, the victim company is determined to find the root cause of the breach so it can be eliminated as a potential source for future breaches.

Here are some of the interesting points brought out in Verizon's "2008 Data Breach Investigations Report." Remember that the data sample involves more than 500 investigations spanning very small to very large organizations around the world.

Errors, such as poor decisions, misconfigurations and omissions, are a contributing factor in nearly all data breaches. Significant omissions led to a large number of the breaches. Most often, the omission was a standard security procedure or configuration that was believed to have been implemented but was not. In 15% of the cases, misconfigurations were a contributing factor. These include erroneous system, device, network and software settings.

In the Verizon investigations, hacking led to more data breaches than any other category of threat, and it is a favored technique of cybercriminals. Eighteen percent of hacks exploited a specific known vulnerability. In more than 71% of these cases, a patch for the vulnerability had been available for months -- or even for as long as a year -- before the breach. "This strongly suggests that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than 'fire drills' attempting to patch particular systems as soon as patches are released," the Verizon report concludes.