sb-as logo
Story image

More than half of personal data breaches caused by human error 

A new report out of the UK has revealed that 60% of ICO-reported breaches this year are caused by human error, with healthcare the most-affected sector.

Figures released by data security solutions firm Egress, obtained via a Freedom of Information (FOI) request, highlight concerning statistics on human error remaining the main cause of personal data breaches.

The figures show that of the 4856 PDBs reported to the Information Commissioners Office (ICO) between 1st January and 20th June 2019, 60% were the result of human error.

Of those incidents, nearly half (43%) were the result of incorrect disclosure, with 20% posting or faxing data to the incorrect recipient. Nearly a fifth (18%) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5% were caused by providing data in a response to a phishing attack.

Tony Pepper, CEO, Egress comments, says these statistics are alarming. 

"All too often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person," he explains. 

"Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user in mitigating the insider threat."

Pepper says the statistics further compound findings from the Insider Data Breach survey 2019, research commissioned by Egress and conducted by independent research company Opinion Matters. 

The research, which gathered responses from over 500 IT leaders and 4,000 employees to assess the root causes of internal data breaches, as well as their frequency and impact, showed 95% of IT leaders are concerned about insider threat. The research also showed that 79% of IT leaders believed that employees have put company data at risk accidentally in the last 12 months, whilst 61% believe they have done so maliciously.

Analysing the ICOs personal data breaches in this period, by sector, reveals the following industries top the list:
 
1.    18% were reported within Healthcare
2.    16% were reported within Central and Local Government
3.    12% were reported within Education
4.    11% were reported within Justice and Legal
5.    9% were reported within Financial Services
 
In Verizons 2019 Data Breach Investigations Report, healthcare was the only industry where the insider threat created more data breaches than external attacks (59% of data breaches are associated with internal actors). According to Verizon, mis-delivery was the most common type of human error that led to data breaches, making up 15% of all data breaches affecting healthcare organisations.
 
"The healthcare sector persistently tops the list when analysing the sectors affected by data breaches," Pepper says. 

"This is very concerning, especially given the nature of the data. Why this particular industry continues to suffer from internal breaches is worrying and the sector must quickly take action to identify how it can work towards mitigating the insider threat," he explains.

"What is equally worrying is that the statistics obtained from our FOI request leave us in a Groundhog Day scenario," says Pepper. 

"When the ICO released its Q1 statistics last year it showed that between April and June 2018 3416 data security incidents were reported, most of which were again down to human error, failed processes and inadequate policies," he says. 

"The data revealed that of those 3146 security incidents incorrect disclosure of data accounted for 65%, as opposed to external cyber threats caused by malware, ransomware, brute force attacks and phishing, which accounted for around 13%."

Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
Cloud services top threat vector for healthcare industry
"The coronavirus pandemic continues to highlight the unique cybersecurity needs of the healthcare industry, even as it has increased the number of threats these organisations face."More
Story image
Thycotic releases new integrations to bolster account governance
“Service accounts are often left defenceless, even by enterprises with established programs for privileged user security."More
Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More