Technology / Human error behind nearly two thirds of data breaches, ICO figures show

Human error behind nearly two thirds of data breaches, ICO figures show

Two thirds of sectors have experienced an increase in data breaches over the last three years and human error is by far the most common cause of such incidents, according to newly-published figures.

Statistics obtained by Egress Technologies via a Freedom of Information request to the Information Commissioner's Office show an upward curve in reported data breach incidents, with 66 per cent of sectors seeing an increase between 2014 and 2016.

The biggest increase was in the courts and justice sector, which saw a 500 per cent increase in incidents between 1st January and 31st March over the three years. Other hard-hit areas were insurance (317 per cent) and general businesses (157 per cent).

Human error accounted for 62 per cent of breaches between January and April this year, according to the figures, making it by far the most common cause. Meanwhile, insecure web pages and hacking were only behind nine per cent of data breaches when combined.

Among the mistakes made, 17 per cent of breaches were caused by data being posted or faxed to the wrong recipient, 17 per cent stemmed from the loss or theft of paperwork and nine per cent involved data being emailed to the wrong recipient.

“Human error and data breach incidents continue to go hand-in-hand,” said Egress CEO Tony Pepper. “Time and again we’re faced with this reality and yet as today’s statistics show, little effective action seems to have been taken to improve the situation. Clearly at a board level, mistakes continue to be made as priorities aren’t balanced, leaving companies exposed.

“The fact that so many breaches are caused by methods of working that are known data breach pitfalls – such as faxing and posting sensitive information, or using plaintext email – should be a major concern for all organisations.

“Organisations need to begin gaining a holistic understanding of the information security measures they have in place. This begins with examining the nature of the data produced and handled by their staff, and using a classification tool to mandate how that it is treated.

“Next, they need to make sure that, when required, the data is released in the correct manner. Integration between classification policy and tools, such as email encryption and secure online collaboration, can ensure the correct protection and control is applied to the data when it is released from their environment – functionality obviously not available in more traditional ways of working.”

cloud