The number of reported breaches of organizations' data has been growing hyperbolically over the past few years, based on data in Verizon's 2016 Data Breach Investigations Report (DBIR). And a major reason for that is that many organizations are still doing security like they were decades ago. The leading cause of reported data breaches, as documented by Verizon, is "miscellaneous errors"—mistakes made by employees—that open the door to attackers.
For those who've followed the recent chain of crypto-ransomware attacks at hospitals around the country, this finding will come as no surprise. Issues such as system misconfiguration, end users sending sensitive data out of the network by mistake, or users clicking on stuff they shouldn't be clicking on were among the errors made by organizations that led to about 18 percent of the data breaches documented in 2015—and were likely the leading contributor to the many incidents that went unreported.
In 63 percent of "confirmed" breaches, attackers took advantage of weak password credentials, default passwords left in place, or passwords that were stolen through phishing attacks or other means. In other words, if organizations were using something other than just usernames and passwords as credentials to gain access to systems, more than half of the data breaches that happened in 2015 would not have occurred.