Many ‘data security incidents’ as reported to the UK regulator for data privacy and protection continue to have a physical rather than a cyber cause, the latest stats from the ICO suggest.
The ICO had some 957 reported data security incidents in the fourth quarter of 2017; compared with 815 in the quarter before. The rise the regulator believes was due to increased awareness of the GDPR (general data protection regulation), a new European Union-wide data protection law due to come into force across the EU regardless of Brexit on May 25. Typical causes of an incident are data posted or faxed (or emailed) to incorrect recipients; or theft or other loss of paperwork. For the trends in full, visit https://ico.org.uk/action-weve-taken/data-security-incident-trends/.
Comments
Richard Walters, Chief Security Strategist at email and cloud security product company CensorNet, said it was clear that humans are still the weakest link in the cybersecurity chain. “Employees across all sectors are emailing data to the wrong recipient, paperwork is being lost and stolen, and some sensitive information is even being posted out to the wrong people. As the apps available to employees at work increase, such as Dropbox, Google Drive or even Whatsapp and Facebook Messenger, you better believe staff are leaking data through those as well.
“The only solution is for organisations need to bring their staff into the fold. By controlling communication channels and the apps staff use, organisations would go a long way to reducing the majority of these breaches, and the UK’s cybersecurity posture as a whole would be vastly improved.”
And Tony Pepper, CEO of Egress, a secure data transfer product firm, said: “Cyber-attacks don’t even make the ranking of the top five most common types of data security incidents. The top causes are almost entirely organisations, or more accurately staff within organisations, accidentally releasing or leaking data. In fact, data sent by email to the incorrect recipient was the most common incident last quarter.
“Take the healthcare industry. The top three incidents reported in this vital sector are: data being posted and faxed to the wrong recipient; loss or theft of paperwork; and data sent by email to the incorrect recipient. None of these are sophisticated attacks orchestrated by cyber criminals, largely they are due to staff mistakes. These issues can be resolved by equipping staff to handle personal data – whether that’s through technology that supports and secures the work they do or more training and awareness – all things that companies should have been doing ahead of GDPR.
“Awareness throughout the organisation is the major issue here. It is not enough for just your tech teams to be prepared, it is the employees across the company – in marketing, HR, sales – who handle personal data and are evidently putting it at risk. Ask yourself, are your staff aware of the practices you have put in place for GDPR? Have they been trained to use the technology you have implemented? Do they even know what counts as personal data? Awareness is the key to compliance and today’s results strongly suggest that breaches are happening because employees are ill-informed in how to handle data.
“Now the GDPR is upon us, it is more imperative than ever that organisations adopt an approach that’s focused on users, working out what technology and support they can give their employees to help them handle data safely at work.”
As more incidents are caused by human error than external cyber threats, Simon McCalla, CTO, Nominet suggested a lot more work needs to be done on training employees. “Often, however, cyber threats can lay unnoticed for months or even years and so this data may well be skewed towards incidents that are immediately identifiable. This information should not, therefore, lure anyone into a false sense of security. We’d encourage all organisations across the UK to up their vigilance against any and all threats, whether that’s external threats lying dormant or unwitting employees making mistakes.”
