FoI: Employees Are Still Responsible For Two Thirds Of Data Breaches

laptop anger lost data crash © auremar Shutterstock

Pesky humans to blame as data breaches increase, an FOI request to the ICO reveals

People remain the weak link when it comes to corporate security after new data showed that human error is responsible for the bulk of all reported data breaches.

A Freedom of Information (FOI) request to the Information Commissioner’s Office (ICO), submitted by secure collaboration firm Egress, found human error accounts for 62 percent of all data breaches reported in the UK

Human Error

Whistleblower leak keyboard security breach © CarpathianPrince ShutterstockOther causes of data breaches include insecure webpages and hacking, which stands at 9 percent combined; data posted or faxed to the wrong recipient (17 percent); loss and theft of paperwork (17 percent); and data emailed to the wrong recipient (9 percent).

Insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data, were also cited causes.

The FOI studied the data gathered between January and March this year, and compared to the same period in 2014 and 2015.

And somewhat depressingly, the FOI also revealed that data breaches are on the rise, after 66 percent of business sectors reported that they had experienced a rise in breaches over 3 years.

But where exactly are these breaches happening? Well, the data revealed some surprises when it showed for example, that the courts and justice sector reported a 500 percent rise in data breaches.

Other organisations that experienced a concerning growth in breach incidents are insurance firms (317 percent), general businesses (157 percent), solicitors and barristers (127 percent), and charities (109 percent).

But the worst sector for data breaches remains the healthcare sector. Whilst this sector did not experience such a dramatic rise in breaches (only 13 percent increase), healthcare organisations continue to top the list for total number of reported incidents at 184.

“Human error and data breach incidents continue to go hand-in-hand,” said Egress CEO Tony Pepper. “Time and again we’re faced with this reality and yet as today’s statistics show, little effective action seems to have been taken to improve the situation. Clearly at a board level, mistakes continue to be made as priorities aren’t balanced, leaving companies exposed.”

“The fact that so many breaches are caused by methods of working that are known data breach pitfalls – such as faxing and posting sensitive information, or using plaintext email – should be a major concern for all organisations,” he added.

“Organisations need to begin gaining a holistic understanding of the information security measures they have in place,” said Pepper. “These figures are particularly worrying now that the EU’s GDPR regulation is set to come into effect on May 25th 2018, meaning the clock is ticking for organisations across all industries to address the risk before hefty fines for data breaches are enforced.”

Looming Deadline

Pepper is right to point out that organisations need to plan for the upcoming arrival of the EU General Data Protection Regulation (GDPR), which will enforce mandatory notification within 72 hours for breaches where sensitive personal information is put at risk.

The legislation was finally passed by the European Parliament in April, after more than four years of negotiations. It aims to give citizens back control over their data in the digital age, including the right to be forgotten. It also imposes tough financial penalties on businesses for not protecting data.

For example, companies that do not comply with the strict new requirement will face fines of up to 4 percent of their global revenue for the previous year, or €20 million (£15.8m) depending on which is greater. In the UK for example, the maximum current penalty (under the UK Data Protection Act) stands at £500,000.

Earlier this year nearly 80 percent of UK medium and large businesses said they were not confident they will be able to comply with the GDPR regulations that are set to be enforced from 2018.

“Enforcement of the EU GDPR will begin in 2018 – and organisations need to be ready in advance so that they don’t fall foul of the new legislation,” concluded Egress CEO Pepper.

Take our data breaches of 2015 quiz here!