Data breaches continue to plague organizations in virtually every industry. In some breaches, the root cause is fairly obvious -- a lost or stolen laptop or USB stick, for instance. In other cases, it takes a forensic investigation to piece together the details of what happened and how.

The Verizon Business RISK Team is a world-renowned data forensics organization that investigates all sorts of suspected breaches. Since 2004, this team has worked on more than 600 cases. Fortunately for us, the team is willing to share its collective knowledge and provide an analysis of the trends in breaches, including how they happen and what the root causes and contributing factors are.

10 woeful takes of data gone missing

I featured some of their analysis in my February article, "Don't Be a Data Loss Victim". Since then, the RISK Team has published its latest report, the 2009 Data Breach Investigations Report (DBIR). This is a good read for any organization that is trying to plan where and how to allocate scarce resources. For example, the prevailing wisdom says that company insiders are a major threat for accidentally exposing data or intentionally stealing it. In the experience of the Verizon team -- and mind you, the team's universe is not all breaches, but only the ones its members investigate -- the insider threat is much less significant than those threats that come from outside the company. Knowing this, an organization can plan its defenses accordingly.

The 2009 report focuses on the more than 90 confirmed breaches the team investigated in 2008. The number of sensitive data records exposed through these breaches totals more than 285 million. That's more records exposed in one year than the sum of all the records exposed in the four previous years.

Here are some notable statistics from the 2009 report:

* 74% of the breaches resulted from external sources. This percentage is just about unchanged from previous years.

* 91% of all compromised records were linked to organized criminal groups. It's no surprise such groups are after data they can monetize quickly, such as credit card data and financial records.

* 67% of the breaches were aided by significant errors, such as not applying a patch for a known vulnerability. This statistic is unchanged since previous years, meaning we haven't learned yet how important it is to watch out for the simple things that are in our control.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.