Figures obtained via a Freedom of Information request and subsequently released by Egress, the provider of people-centric data security solutions, highlight rather concerning statistics on human error remaining the main cause of personal data breaches.
The figures show that, of the 4,856 personal data breaches reported to the Information Commissioner’s Office (ICO) between 1 January and 20 June this year, 60% have been the result of human error. Of those incidents, nearly half (43%) were due to incorrect disclosure, with 20% of those individuals involved posting or faxing data to the incorrect recipient.
Nearly one fifth (18%) of incidents were attributed information being e-mailed to incorrect recipients or a failure to use Bcc, while 5% were caused by data being provided in direct response to a phishing attack.
Tony Pepper, CEO at Egress, commented: “These statistics are alarming. All-too-often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send e-mails to the right person. Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user to mitigate the insider threat.”
Insider Data Breach Survey 2019
The statistics further compound findings from the Insider Data Breach Survey 2019 (research commissioned by Egress and conducted by independent research company Opinion Matters). The research, which gathered responses from over 500 IT leaders and 4,000 employees to assess the root causes of internal data breaches as well as their frequency and impact, shows that 95% of IT leaders are concerned about the insider threat.
The research also highlights that 79% of IT leaders believe their employees have put company data at risk accidentally in the last 12 months, while 61% feel they’ve done so maliciously.
Analysing the ICO’s personal data breaches in this period by sector reveals the following industries top the list: 18% of breaches were reported within healthcare, 16% within central and local Government, 12% within education, 11% within justice and legal and just 9% within financial services.
Worries in healthcare sector
In Verizon’s 2019 Data Breach Investigations Report, healthcare is the only industry where the insider threat has created more data breaches than external attacks (59% of data breaches are associated with internal actors). According to Verizon, misdelivery is the most common type of human error that leads to data breaches, making up 15% of all data breaches affecting healthcare organisations.
Pepper continued: “The healthcare sector persistently tops the list when analysing the sectors affected by data breaches. This is very concerning, especially given the nature of the data involved. Why this particular industry continues to suffer from internal breaches is worrying. Professionals operating in this sector must quickly take action to identify how it can work towards mitigating the insider threat.”
In conclusion, Pepper stated: “What’s equally worrying is that the statistics obtained from our Freedom of Information request leave us in a ‘Groundhog Day’ scenario. When the ICO released its Q1 statistics last year the figures showed that, between April and June 2018, some 3,416 data security incidents were reported, most of which were again down to human error, failed processes and inadequate policies. The data revealed that, of those 3,146 ‘security incidents’, the incorrect disclosure of data accounted for 65% of them as opposed to external cyber threats caused by malware, ransomware, brute force attacks and phishing, which accounted for around 13%.”