SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
More than half of personal data breaches caused by human error
Wed, 21st Aug 2019
FYI, this story is more than a year old

A new report out of the UK has revealed that 60% of ICO-reported breaches this year are caused by human error, with healthcare the most-affected sector.

Figures released by data security solutions firm Egress, obtained via a Freedom of Information (FOI) request, highlight concerning statistics on human error remaining the main cause of personal data breaches.

The figures show that of the 4856 PDBs reported to the Information Commissioners Office (ICO) between 1st January and 20th June 2019, 60% were the result of human error.

Of those incidents, nearly half (43%) were the result of incorrect disclosure, with 20% posting or faxing data to the incorrect recipient. Nearly a fifth (18%) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5% were caused by providing data in a response to a phishing attack.

Tony Pepper, CEO, Egress comments, says these statistics are alarming.

"All too often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person," he explains.

"Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user in mitigating the insider threat."

Pepper says the statistics further compound findings from the Insider Data Breach survey 2019, research commissioned by Egress and conducted by independent research company Opinion Matters.

The research, which gathered responses from over 500 IT leaders and 4,000 employees to assess the root causes of internal data breaches, as well as their frequency and impact, showed 95% of IT leaders are concerned about insider threat. The research also showed that 79% of IT leaders believed that employees have put company data at risk accidentally in the last 12 months, whilst 61% believe they have done so maliciously.

Analysing the ICOs personal data breaches in this period, by sector, reveals the following industries top the list:
1.    18% were reported within Healthcare
2.    16% were reported within Central and Local Government
3.    12% were reported within Education
4.    11% were reported within Justice and Legal
5.    9% were reported within Financial Services
In Verizons 2019 Data Breach Investigations Report, healthcare was the only industry where the insider threat created more data breaches than external attacks (59% of data breaches are associated with internal actors). According to Verizon, mis-delivery was the most common type of human error that led to data breaches, making up 15% of all data breaches affecting healthcare organisations.
"The healthcare sector persistently tops the list when analysing the sectors affected by data breaches," Pepper says.

"This is very concerning, especially given the nature of the data. Why this particular industry continues to suffer from internal breaches is worrying and the sector must quickly take action to identify how it can work towards mitigating the insider threat," he explains.

"What is equally worrying is that the statistics obtained from our FOI request leave us in a Groundhog Day scenario," says Pepper.

"When the ICO released its Q1 statistics last year it showed that between April and June 2018 3416 data security incidents were reported, most of which were again down to human error, failed processes and inadequate policies," he says.

"The data revealed that of those 3146 security incidents incorrect disclosure of data accounted for 65%, as opposed to external cyber threats caused by malware, ransomware, brute force attacks and phishing, which accounted for around 13%."