Verizon (NYSE: VZ) Business' annual report on data breach investigations, which it released July 28, tells more or less the same old story about online crime, but with a couple interesting twists. For this year's report, which covers activity in 2009, Verizon worked with the U.S. Secret Service.

Unfortunately, as the report documents, U.S. enterprises are dealing with many of the same threats they've been dealing with for years. Insider threats and social engineering scams are on the rise, while organized online crime remains a serious menace. The most common way that organizations are breached is through stolen credentials, and the financial services, health care and retail sectors are hit the hardest.

Another sadly recurring theme, according to the report, is that the majority of breaches could have been avoided if basic security measures had been followed. Worse, perhaps, organizations don't appear exactly on the ball when it comes to handling breaches after the fact. Sixty percent of the breaches were identified by external parties, even though 87 percent of the victimized organizations had evidence of the activity in their logs.

"For the most part, organizations still remain sluggish in detecting and responding to incidents," Verizon said. "[W]hile most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes."

In an interesting twist, the report found a reduction in the number of data breaches overall last year, attributing it potentially to the arrest of high-profile cyber criminals. At the same time, however, breaches occurring within the financial services industry grew. Most frighteningly, 94 percent of all the records breached in 2009 were in financial services.

Most of the report's recommendations are pretty obvious: Monitor privileged users, use two-factor authentication whenever appropriate, filter outbound traffic and review logs more thoroughly. But--in what might be its most interesting finding--the report notes a correlation between ostensibly small violations of corporate policy and more serious violations. Illegal content on a user's machine, for example, can be an indication of a breach down the road. The report recommends that companies actively search for minor policy violations that could be indicators of bigger problems.

Do the statistics relayed by the Verizon report reflect your organization? If so, what important factors are not being conveyed? - Caron