Do you know your enemy? Are you fighting the wrong war? Despiteeverything you're read about cyber security, despite all thebreaches in the news, the fact is well-intentioned business peopleare still surprisingly behind the times.

Thieves and hackers are by no means the main cause of databreaches. Cyber security is just one element—because physicalrecords, paper and files, continue to play a major role. Andtoo few managers understand that they remain responsible for lostinformation—even if no one's noticed it's been lost or takenadvantage of the breach.

What does this tell you? Cyber security is just one partof the equation. Breaches happen many ways. And it could becompanies are fighting the wrong war. They're focusedexclusively on protection, on encryption and firewalls for example,when they should be considering what to do after the systemsare breached.

My work, my company Beazley, isn't mainly in the business ofpreventing breaches. Instead, and perhaps more relevant today,we're the people who help companies survive them. We've resolvedover 1,000 cases in the last five years.

Let me tell a few illustrative stories—and some interestinglessons to be learned.

• An angry client of a large, prestigious law firm broke intotheir offices and stole all their hard drives. They had agreat encryption system, powerful fire walls, all the latest datasecurity software. None of that made a whit of difference; they were breached anyway.

• A multi-state health provider sent a free wellness magazine toits older members. They loved it. But one month theirprinting system got the mailing labels wrong—each one contained notjust the member's address but their patient ID as well—andthoseincluded their social security numbers.

• Outside contractors remodeling an office disposed of some oldfile cabinets. Unfortunately, scores of old computer backuptapes were stored inside them. Did bad actors get hold of thedata? Was anybody hurt? No, it was only an accident. But the company was, nevertheless, responsible. They had tosearch for the tapes in a land fill and notify thousands ofcustomers.

• Thieves posing as employees of a recycling company worked theirway up the Eastern seaboard removing X-rays from hospital radiologylabs. Their plan was to retrieve and sell the silver in thefilms. The problem was the X-rays were marked with patientdata, names, addresses, date of birth and social security. Thecrooks were not identity thieves. They weren't after thedata. But thanks to HIPAA rules, the hospitals had tonavigate around hefty fines.

• A doctor was in the habit of motorcycling to work. Oneday his briefcase came open. He arrived safely at his office,but hundreds of patient records were scattered three miles behindhim.

• One company's security system was so complete that they guardedtheir data against their own employees. Staff had to type insecret codes to get information using special terminals withsecurity cameras watching everything over each one. Aninsider, however, was stealing employee identities. She stoodbehind friends while they looked up data and memorized theinformation.

What are the lessons?

The first one is that accidents are behind more data breachesthan hackers. There are plenty of crooks out there, but your owninnocent employees mislay more data. The second lesson is thisisn't only an information systems problem. Pieces of paper, devicesand hard-drives, X-ray films and even mailing labels can bevulnerabilities. A third lesson is that thieves come in allmanner of disguises. They're not just digital wizards in Russia;they're maintenance men or angry clients or a fellow worker lookingover your shoulder.

The last, most significant lesson is that you're responsible.Thanks to HIPPA rules, legal decisions, state and federalregulations, if important data disappears your company has theburden of recovering it and notifying those who might be harmed. Itdoesn't matter if it was an accident, if no injury resulted, if youdidn't even know there was a breach or what went missing.

And that brings us to data breach insurance. It really hastwo parts. The first part is traditional insurance – toprotect your company against potential losses. You need abroad, well-crafted policy, with coverage and limits to address thefull variety of claims arising out of your company's underlyingexposures. (There are several ways of setting limits—and we'vefound that a per-person basis, up to, say, two million or fivemillion records—gives us a better way to define the risk.)

The other part of data breach insurance has the characteristicsof a service. In the event of a breach, weprovide—and pay for—the IT forensics experts, the specialized legalhelp, the PR consultants and the notifications services you needwhen there's a complex breach. The vendor is there to adviseyou and walk you through the steps, because, believe me, this isn'tsomething you want to learn while you're going through it.

The good news is there's a lot that you can do to mitigate thedamage. It's in your hands and if your response is sound noliabilities may follow.

And so what happened to the companies in the stories? OurIT experts tracked down what the law firm lost—and we helped notifytheir clients. We worked with the company that lost its backuptapes. They were never found, but thanks to us their liabilitieswere covered. For the mailing labels, we know how to notifythe readers. For the hospitals with the missing X-rays wesupplied expert IT specialists—because some of them had no indexfor their records. We identified and notified the patients of themotorcycling doctor. We helped find the insider who was memorizinginformation­—and, even more difficult, we identified the peoplewhose identities she stole.

Data breaches are, unfortunately, a part of doing business. Nomatter how well you're protected they will happen. It isn't “if”;it's “when.”

And a final lesson to be learned: A data breach doesn't have tobe a disaster—but mishandling it is.

Mike Donovan is the Global Leader ofTechnology, Media, and Business team with Beazley, the leadingspecialist insurer, pioneering data breach response insurancethrough the Beazley Breach Response (BBR) product.