Bill Brenner's article in the July 2005 Information Security magazine clued me in to a press release by the Computing Technology Industry Association (CompTIA). They announced the results of their third annual CompTIA Study on IT Security and the Workforce. From the press release:
"Human error, either alone or in combination with a technical malfunction, was blamed for four out of every five IT security breaches (79.3 percent), the study found. That figure is not statistically different from last year."
This study and the 2004 edition appear to be the source for other reports that claim 80% of security breaches are the result of human error. Note the CompTIA study says "Human error, either alone or in combination with a technical malfunction," is to blame.
Nevertheless, I am not surprised by this figure. I rarely perform an incident response for an organization that is beaten by a zero day exploit in the hands of an uber 31337 h@x0r. In most cases someone poorly configures a server, or doesn't patch it, or makes an honest mistake. The fact is many IT systems are complicated, and none are getting simpler. Administrators have too many responsibilities and too few resources. They are often directed by managers who have decided to weigh "business realities" more important than security. The enterprise is not running a defensible network architecture and the level of network awareness is marginal or nonexistent. No network security or host integrity monitoring is done.
In such an environment, it is easy to see how a lapse in a firewall rule, a misapplied patch, or an incorrect application setting can provide the foothold a worm or attacker needs.
So what is my answer? No amount of preventative measures will ever stop all intrusions. I recommend applying as much protection as your resources will allow, and then monitor everywhere you can. If your monitoring doesn't help you identify a policy failure and/or intrusion, it will at least provide the evidence needed to remediate the problem, and then better prevent and/or detect the incident in the future.
Update: I found this Infonetics Research press release that stated the following:
"In Infonetics Research’s latest study, The Costs of Enterprise Downtime, North American Vertical Markets 2005, 230 companies with more than 1,000 employees each from five vertical markets—finance, healthcare, transportation/logistics, manufacturing, and retail—were surveyed about their network downtime...
'The finance and manufacturing verticals are bleeding the most, with the average financial institution experiencing 1,180 hours of downtime per year, costing them 16% of their annual revenue, or $222 million, and manufacturers are losing an average of 9% of their annual revenue,' said Jeff Wilson, principal analyst of Infonetics Research and author of the study...
Human error is the cause of at least a fifth of the downtime costs for all five verticals, and almost a third for financial institutions; this can only be fixed by adding and improving IT processes...
Security downtime is not a major issue anywhere, though it reaches 8% of costs within financial organizations."