London - June 2016 - Figures obtained by Egress Software Technologies via a Freedom of Information (FOI) request to the Information Commissioner’s Office (ICO) highlight a concerning upward curve in reported data breach incidents, with human error remaining the main cause. The statistics provide a year-on-year analysis of Principle Seven security breaches of the Data Protection Act, examining the most recent incidents from 1st January – 31st March 2016 and comparing them against the same period in 2014 and 2015.
Worryingly, of the sectors compared over the three years, 66% reported an increase in data breach incidents, with the courts and justice sector recording a rise of 500% in the period.
Other organisations that have experienced a concerning growth in breach incidents are insurance firms (317%), general businesses (157%), solicitors and barristers (127%), and charities (109%). Although not experiencing such a dramatic rise in breaches at only 13% increase, healthcare organisations continue to top the list for total number of reported incidents at 184.
Paying for their mistakes: Human error remains an unresolved data security challenge
For January – March 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO – far outstripping other causes, such as insecure webpages and hacking, which stands at 9% combined. Despite this, market attention and resource continues to focus on external threats, in particular cyber-attacks and hackers. This is supported by a survey published by Egress earlier this year which showed 49% of CIOs are prioritising hackers and only 20% considering human error a top priority.
Categorisation by the ICO of the types of breaches caused by human error reveals the major causes as: data posted or faxed to the wrong recipient (17%), loss and theft of paperwork (17%), and data emailed to the wrong recipient (9%). Other causes included insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data.
Egress CEO Tony Pepper comments: “Human error and data breach incidents continue to go hand-in-hand. Time and again we’re faced with this reality and yet as today’s statistics show, little effective action seems to have been taken to improve the situation. Clearly at a board level, mistakes continue to be made as priorities aren’t balanced, leaving companies exposed.
“The fact that so many breaches are caused by methods of working that are known data breach pitfalls – such as faxing and posting sensitive information, or using plaintext email – should be a major concern for all organisations. Organisations need to begin gaining a holistic understanding of the information security measures they have in place. This begins with examining the nature of the data produced and handled by their staff, and using a classification tool to mandate how it is treated. Next, they need to make sure that, when required, the data is released in the correct manner. Integration between classification policy and tools, such as email encryption and secure online collaboration, can ensure the correct protection and control is applied to the data when it is released from their environment – functionality obviously not available in more traditional ways of working.”
Raising the stakes: the EU GDPR
Organisations that suffer a data breach continue to be subjected to widespread publicity, especially regarding subsequent loss of customer confidence and financial implications.
Of interest is the rise in incidents reported by private sector companies, namely courts and justice organisations, insurance firms, solicitors and general business. Although advised to disclose data breaches as soon as possible, corporate organisations are not currently mandated by law to do so. This is set to change under the EU General Data Protection Regulation (GDPR), which will enforce mandatory notification within 72 hours for breaches where sensitive personal information is put at risk. Reported incidents are therefore expected to increase for private organisations in the wake of the legislation in 2018.
The EU GDPR is also set to ring the changes by significantly increasing the maximum monetary penalties to 4% of annual worldwide turnover for organisations found to have breached the regulation. Again, this is particularly meaningful for private sector organisations which, to date, have only received 18% (£1,233,500) of financial sanctions under the current Data Protection Act. With more incidents reported and higher fines on the table, corporate organisations are being called upon to improve their data security over the next two years before the legislation comes into effect.
Pepper continues: “Enforcement of the EU GDPR will begin in 2018 – and organisations need to be ready in advance so that they don’t fall foul of the new legislation. Corporate organisations are already increasingly coming under the spotlight following several high-profile breaches of consumer data over the last 12 months and the EU GDPR will only amplify this. Additionally, as individuals become more aware of the data these companies hold and the measures they’re putting in place when processing and sharing it, they will inevitably also put pressure on organisations to better protect their data – or they will simply take their custom elsewhere.
“It’s worth noting as well that public sector organisations won’t escape from the remit of the new legislation either. For example, although not reporting such a dramatic rise in the number of data breaches as some corporate organisations, the healthcare sector remains a serial offender at the top of the list year-on-year. Consequently, with the EU GDPR carrying serious implications for organisations across all industries, today’s statistics prove that changes must be made to improve the track record for data breach incidents these organisations are experiencing and help them to secure their data from start to finish.”