Organisations are typically over-investing in some areas, while neglecting other parts that would yield significant gains, said Peter Tippett, vice-president of technology and innovation at Verizon Business.
"Up to 40% of money spent on IT security is wasted", he told Computer Weekly.
Many organisations are increasingly spending money on insider threats, but in reality only 11% of successfully exploited data breaches in the past five years have been internal parties alone, according to the latest Verizon Business Data Breach Investigations Report.
Most breaches involve multiple sources, but even then research shows that only 20% overall involved internal parties.
Purely external parties were responsible for 43% of breaches, and were involved in 74% of breaches overall, including internal parties and business partners.
"Based on these results, it seems unwise to downplay the threats posed by outsiders", the report said.
Organisations end up wasting IT security budgets by spending too much on where the threats are perceived to be, instead of where they really are, and where the business will see the most benefit, said Tippett.
"Many businesses are still not doing the cheap and simple stuff, but continue to spend a lot of money on doing things faster."
The research shows that being able to patch systems faster will reduce enterprise security risk by about 2%.
"But by simply eliminating systems with default passwords that are easy to guess will cut risk by at least 25%, 10 times more than patching faster," said Tippett.
Doing more patching faster is therefore not as worthwhile as other matters, such as stronger passwords and better network discovery, he said.
"An organisation can reduce its risk by 85% simply by finding out where all its servers are, where all its data is stored and what connections there are to it", he said.
Even though bigger companies tend to look for default passwords, they look only at critical systems and tend to ignore those that have nothing to do with the business, but this is another mistake, said Tippett.
"Hackers don't care what is critical and what is not - they just use their tools to find the things that are easiest to get into, and once they are in, they move from there."
Research has shown big attacks that sink companies or cause billions of pounds' worth of damage involve, on average, 4.5 steps, said Tippett.
"The first two of these steps typically involve non-critical systems and things that are easy to fix, like default passwords and application errors", he added.
It is 10 times more common for organisations to test particular machines for vulnerabilities, than their entire network to see where they should focus, he said.
"Discover is the most important thing you can do. It is the first step in every risk-management programme. Yet it is the thing almost everyone ignores."
This article was first published by Computer Weekly