Egress Survey: “Human error remains primary cause of personal data breaches”

Figures obtained via a Freedom of Information request and subsequently released by Egress, the provider of people-centric data security solutions, highlight rather concerning statistics on human error remaining the main cause of personal data breaches.

The figures show that, of the 4,856 personal data breaches reported to the Information Commissioner’s Office (ICO) between 1 January and 20 June this year, 60% have been the result of human error. Of those incidents, nearly half (43%) were due to incorrect disclosure, with 20% of those individuals involved posting or faxing data to the incorrect recipient.

Nearly one fifth (18%) of incidents were attributed information being e-mailed to incorrect recipients or a failure to use Bcc, while 5% were caused by data being provided in direct response to a phishing attack.

Tony Pepper, CEO at Egress, commented: “These statistics are alarming. All-too-often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send e-mails to the right person. Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user to mitigate the insider threat.”

Insider Data Breach Survey 2019

The statistics further compound findings from the Insider Data Breach Survey 2019 (research commissioned by Egress and conducted by independent research company Opinion Matters). The research, which gathered responses from over 500 IT leaders and 4,000 employees to assess the root causes of internal data breaches as well as their frequency and impact, shows that 95% of IT leaders are concerned about the insider threat.

The research also highlights that 79% of IT leaders believe their employees have put company data at risk accidentally in the last 12 months, while 61% feel they’ve done so maliciously.

Analysing the ICO’s personal data breaches in this period by sector reveals the following industries top the list: 18% of breaches were reported within healthcare, 16% within central and local Government, 12% within education, 11% within justice and legal and just 9% within financial services.

Worries in healthcare sector

In Verizon’s 2019 Data Breach Investigations Report, healthcare is the only industry where the insider threat has created more data breaches than external attacks (59% of data breaches are associated with internal actors). According to Verizon, misdelivery is the most common type of human error that leads to data breaches, making up 15% of all data breaches affecting healthcare organisations.

Pepper continued: “The healthcare sector persistently tops the list when analysing the sectors affected by data breaches. This is very concerning, especially given the nature of the data involved. Why this particular industry continues to suffer from internal breaches is worrying. Professionals operating in this sector must quickly take action to identify how it can work towards mitigating the insider threat.”

In conclusion, Pepper stated: “What’s equally worrying is that the statistics obtained from our Freedom of Information request leave us in a ‘Groundhog Day’ scenario. When the ICO released its Q1 statistics last year the figures showed that, between April and June 2018, some 3,416 data security incidents were reported, most of which were again down to human error, failed processes and inadequate policies. The data revealed that, of those 3,146 ‘security incidents’, the incorrect disclosure of data accounted for 65% of them as opposed to external cyber threats caused by malware, ransomware, brute force attacks and phishing, which accounted for around 13%.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts