The number of reports of data security incidents received by the UK’s Information Commissioner (ICO) has surged 75 percent over the past two years, according to new analysis by Kroll, the risk mitigation and investigative services company– with the overwhelming majority down to human error, rather than malicious cyber incidents.
Some 2,124 reports could be attributed to human error, compared to just 292 that were deliberate cyber incidents, Kroll said, with the most common types of incidents being confidential data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164).
Healthcare: The Worst Culprit
Most guilty of such breaches was the healthcare sector, which reported 1,214 incidents over the past year, a 41 per cent increase over two years. This is followed by general business (362), education and childcare (354) and local government (328).
The information came via an Freedom of Information (FOI) request.
Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, explained: “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK.”
He added: “We would expect to see an increase in the value of penalties issued… The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.
“Effective cyber security is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks. The majority of data breaches, and even many cyber attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.”
Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland, added: “It’s imperative that businesses help make users the strongest link, not the weakest. This needs to go beyond just providing users with security and privacy training and awareness, there also needs to be mechanisms in place to identify and prevent internal data leakages rom occurring.”
She added: “To be truly effective when it comes to protecting personal data requires a mix of people, processes and technologies: all of which have to be carefully aligned so that everything fits together properly. At the end of the day, security alone cannot stop a breach, it requires a cultural shift to embed data governance throughout an organisation.”
The loss or theft of unencrypted devices (133) was another common reason for data breach reports, the FOI found. Of the deliberate cyber incidents reported, unauthorised access was the most common (102), followed by malware (53), phishing attacks (51) and ransomware (33).