In the last two years reports of UK data breaches to the Information Commissioner’s Office have increased by 75%, according to research by risk solutions provider Kroll. But of these, just 12% were the result of malicious attacks.
The data was obtained via a Freedom of Information Act request to the UK’s Information Commissioner’s Office (ICO), the public body responsible for monitoring and fining data breaches. It covered breaches of personal data, including heath, financial, employment and criminal record data.
The research showed that while data breaches are generally associated with the actions of malicious criminals, the reality indicates something quite different: 88% were the result of human error.
The most common error was to send sensitive data to the wrong recipient, which was the cause of 37% of reported data breaches. The majority of these happened over email, but a sizeable number also occurred via post of fax.
Other common errors included the loss or theft of paperwork, forgetting to redact data or storing data in an insecure location, such as a public cloud server.
“Effective cyber security is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks,” said Andrew Beckett, managing director and EMEA leader for Kroll’s Cyber Risk Practice.
“The majority of data breaches, and even many cyberattacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.”
Reports of UK data breaches grow with GDPR
With the introduction of GDPR in May it became mandatory for businesses to inform the ICO, however this research suggests that businesses have increasingly been doing so in preparation for the regulation.
Significantly, these reports will only be a small number of the data breaches suffered by UK businesses over this period.
“Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK,” said Beckett.
“The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents.
“Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.”