View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 3, 2018

Revealed: Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches

The healthcare sector is by far the worse culprit...

By CBR Staff Writer

The number of reports of data security incidents received by the UK’s Information Commissioner (ICO) has surged 75 percent over the past two years, according to new analysis by Kroll, the risk mitigation and investigative services company– with the overwhelming majority down to human error, rather than malicious cyber incidents.

Some 2,124 reports could be attributed to human error, compared to just 292 that were deliberate cyber incidents, Kroll said, with the most common types of incidents being confidential data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164).

Healthcare: The Worst Culprit

Most guilty of such breaches was the healthcare sector, which reported 1,214 incidents over the past year, a 41 per cent increase over two years. This is followed by general business (362), education and childcare (354) and local government (328).

The information came via an Freedom of Information (FOI) request.

Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, explained: “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK.”

See also: Customer Experience in Age of Data Secrecy: Data Revolution and GDPR

He added: “We would expect to see an increase in the value of penalties issued… The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.

“Effective cyber security is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks. The majority of data breaches, and even many cyber attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Sending mail to the wrong recipients is a common error…

Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland, added: “It’s imperative that businesses help make users the strongest link, not the weakest. This needs to go beyond just providing users with security and privacy training and awareness, there also needs to be mechanisms in place to identify and prevent internal data leakages rom occurring.”

She added: “To be truly effective when it comes to protecting personal data requires a mix of people, processes and technologies: all of which have to be carefully aligned so that everything fits together properly. At the end of the day, security alone cannot stop a breach, it requires a cultural shift to embed data governance throughout an organisation.”

The loss or theft of unencrypted devices (133) was another common reason for data breach reports, the FOI found. Of the deliberate cyber incidents reported, unauthorised access was the most common (102), followed by malware (53), phishing attacks (51) and ransomware (33).

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.