Sloppy human error still prime cause of data breaches
FOI data from ICO reveals usual failings: loss of paperwork, data sent to wrong recipients, insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data
Figures obtained from the Information Commissioner's Office (ICO) have revealed that human error continues to be the main cause of data breaches, with healthcare organisations one of the key groups affected.
The figures, obtained by Egress Software Technologies via a Freedom of Information (FOI) request, show a continual upward curve in reported data breach incidents.
The statistics provide a year-on-year analysis of Principle Seven security breaches of the Data Protection Act, and examine the most recent incidents from 1st January - 31st March 2016, comparing them against the same period in 2014 and 2015.
Of the sectors compared over the three years, 66% reported an increase in data breach incidents, with the courts and justice sector recording a rise of 500% over the period. Healthcare organisations continue to top the list for total number of reported incidents at 184.
Human error continues to be mainly to blame. For January - April 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO, outstripping other causes such as insecure webpages and hacking, which stands at just 9% combined. Despite this, market attention and resource continues to focus on external threats, notably cyber-attacks and hackers.
A survey published by Egress earlier this year showed that 49% of CIOs are prioritising hackers with only 20% considering human error as a top priority.
Categorisation by the ICO of the types of breaches caused by human error reveals the major causes as: data posted or faxed to the wrong recipient (17%), loss and theft of paperwork (17%) and data emailed to the wrong recipient (9%). Other causes detailed in the ICO figures included insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data.
Egress chief executive Tony Pepper said: "Human error and data breach incidents continue to go hand-in-hand. Time and again we're faced with this reality and yet as today's statistics show, little effective action seems to have been taken to improve the situation.
Discussing the public sector, Pepper said: "We can see that despite data breaches rising in the private sector, we are seeing some improvements in the public sector. In fact, we have seen a fairly significant 20% reduction in breaches in local government and a 5% reduction in education data breaches too since 2013/2014. This is great news and it is good to see some evidence of a potential turn in the tide.
"However, healthcare is still by far the biggest data breach culprit, and the number of breaches has risen by 13% over the past three years. So there is still some way to go. When you consider that human error is the most common source of data breach, the public sector really needs to review its information sharing processes to try and avoid these breaches.
"Firstly, organisations need to have the means to securely share information both internally and with trusted external third parties using encryption tools that suit the ways their employees work - whether securing emails or large files, or providing a secure collaboration environment. Secondly, they need to ensure users retain control over their data from start to finish, even after it has been shared with a third party. For example, having the ability to retract an email sent in error, such as in this case, so that the recipient is unable to read the contents. Finally, this smart technology needs to be combined with user education, policies and procedures that help them to understand how to treat data."
Pepper believes the new EU General Data Protection Regulation (GDPR) is likely to up the stakes over data breaches.
Organisations that suffer a data breach continue to be subjected to widespread publicity, especially in relation to a subsequent loss of customer confidence and consequent financial implications from the breach.
Although they are advised to disclose data breaches as soon as possible, corporate organisations are not currently mandated by law to do so. This is set to change under the EU General Data Protection Regulation (GDPR), which will enforce mandatory notification within 72 hours for breaches where sensitive personal information is put at risk. Reported incidents are therefore expected to increase in the wake of the legislation in 2018.
The EU GDPR is also expected to spur major change by significantly increasing the maximum monetary penalties to 4% of annual worldwide turnover for organisations found to have breached the regulation. With more incidents reported and higher fines on the table, corporate organisations are being called upon to improve their data security over the next two years before the legislation comes into effect.
Pepper added: "Enforcement of the EU GDPR will begin in 2018 - and organisations need to be ready in advance so that they don't fall foul of the new legislation. Corporate organisations are already increasingly coming under the spotlight following several high-profile breaches of consumer data over the last 12 months and the EU GDPR will only amplify this. Additionally, as individuals become more aware of the data these companies hold and the measures they're putting in place when processing and sharing it, they will inevitably also put pressure on organisations to better protect their data - or they will simply take their custom elsewhere.
"It's worth noting as well that public sector organisations won't escape from the remit of the new legislation either. With the EU GDPR carrying serious implications for organisations across all industries, today's statistics prove that changes must be made to improve the track record for data breach incidents these organisations are experiencing and help them to secure their data from start to finish."