Lately not a day goes by without a major news story on cybercriminals, hacktivists, and spies.  These are generally viewed as the main threat actors behind the data breaches that we spend so much time — and budget — fighting. But what about Anne in Accounting, Sam in Sales and Paul in Production? While malicious attacks are certainly a significant problem and make for thrilling headlines, it’s mistakes made by people and systems that actually cause the majority of data breaches.

According to the 2013 Cost of a Data Breach study, negligence and system glitches together accounted for 64 percent of data breaches last year. These can include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

Today’s business users are nothing if not productive, but too often they don’t think about if they are working with confidential data or if they are protecting it appropriately. The fact is, employees regularly save patient records to thumb drives, transfer customer data to personal devices, and email unreleased product plans to personal webmail. Although well-intentioned, their actions can expose sensitive business information to unnecessary risk. Add advanced threats by external attackers to the mix plus malicious insiders, who are intent on stealing corporate data for their own gain, and it becomes clear that data loss prevention (DLP) is no longer a nice-to-have, but a need-to-have.

CISOs are turning to DLP solutions to effectively protect valuable intellectual property (IP) and personally identifiable information (PII) and keep their organizations from becoming the next headline.  Symantec recently published a research paper examining how DLP programs impact the effectiveness of security executives while also protecting corporate data. We surveyed more than 130 CISOs, VPs, directors and managers responsible for the evaluation, selection, deployment and governance of their organization’s DLP solution.

I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret.

There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider?

fren·e·my [fren-uh-mee] noun. Someone who is both friend and enemy, a relationship that is both mutually beneficial or dependent while being competitive, fraught with risk.

When it comes to taking your intellectual property (IP), employees are the less obvious player but they can be frenemy #1. In many cases, these trusted employees are moving, sharing and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use at their next employer. It’s not that these employees are inherently malicious – often they just don’t know it is wrong to do so.

Defining a data loss prevention (DLP) strategy for your business can seem daunting because it’s not just about technology.  It’s also about people and processes.  Every group in your company can be affected by the loss of intellectual property and other sensitive information. Forwarding-looking security executives are driving DLP initiatives to prevent costly data breaches, comply with strict data privacy regulations, and stop malicious insiders and hackers.  But like any other part of your security plan, it’s not always as simple as just turning on software – rolling out DLP without adequate preparation can derail your plans before you realize the benefits. Whether you’re just thinking about starting a DLP program at your company or have already decided to deploy one, set yourself up for success by avoiding these common pitfalls.

As your dentist turns on his drill, have you ever thought that a little extra preparation – in the form of better brushing habits – could have saved you from this uncomfortable situation? Life is full of similar situations, when we experience consequences that may be avoidable by taking the right precautions. A major auto manufacturer suffered one of these unfortunate incidents recently, when they fired an IT employee who then turned around and stole sensitive intellectual property (IP) from the company. News surfaced last week that a disgruntled IT technician at an intelligence agency reportedly downloaded terabytes of data that he intended to sell. Fortunately, both organizations quickly spotted the IP thefts and have taken action against the alleged perpetrators.

I frequently present on security threats and the Symantec Internet Security Threat Report.  There are many great statistics from the current report, 403M unique variants of malware, 5.5B web attacks blocked, 4,597 web attacks per day, etc.   I frequently describe the different types of attackers, Malicious Outsiders, Insiders, Organized Crime, etc.  The question that is frequently posed after the presentation is “How big of a target are we?”

Many security professionals are looking for the input to the risk formula for the probability of being attacked by one of the attacker types.  Unfortunately, this hard quantitative data does not exist, we can only do our best to estimate it based upon the data and information we have about the current threat landscape, as well as industry and company trends.

Over the past several weeks I’ve had the opportunity to present Symantec’s Internet Security Threat Reports to several of our customers.  It has been interesting to see the different reactions and feedback to various sections of the report, but one particular statistic in the report seems to consistently receive positive feedback and general agreement.

The statistic in question is from The Top Causes for Data Breach by Number of Incidents, 2011.  The specific statistic is that 34% of all incidents are due to Theft or Loss.   When I’ve discussed this particular statistic with customers, I have proposed that these incidents are entirely unnecessary.

At the root of nearly all of these types of incidents is a failure to properly implement, utilize, and enforce the judicious use of encryption on laptops, mobile devices, back tapes, USB storage, and other removable media.  If encryption is not in place on these devices and they are lost or stolen, most organizations have to assume that sensitive data was exposed and, depending on applicable laws and regulatory requirements report it as a data breach event.

The times when Mom and Dad left their young teenaged son at home was a perfect time to phone the friends and tell them the party’s at my parents’ house and to bring their own bottle, BYOB! Not thinking too clearly about the ramifications and risk associated to our home or personal belongings or even my parents getting sued by my friend’s parents. Those so-called friends would show up and inevitably things were broken and almost always things would come up missing. I would scramble to try and repair everything before my parents returned.

Our place of work is much like our home, and we invite friends or colleagues to bring their own mobile device to the party and consume some sensitive data, BYOD! They are intoxicated with the excitement of the ability to get their work data on their personally owned device and do not understand the implications of that data being removed from the house. What is the real impact to us and them? After all, it’s not like they are worried about their parents coming home.

In the constant war for information security between businesses and cybercriminals, we are so focused on the faceless, outside enemy that we often fail to recognize potential double agents within our own ranks. With so many resources devoted to preventing hackers and cybercriminals from getting past our external network defenses, it’s easy to neglect internally based intellectual property (IP) theft.

IP theft is staggeringly costly to the global economy: U.S. businesses alone are losing upwards of $250 billion every year. As it turns out, IP thieves are most often either current or former employees.  We trust most of our employees to do the right thing, but the malicious actions of a single person can jeopardize the health of the business and jobs for everyone.