The ICO has released its Q4 2020-21 data security incident trends report. Interestingly, the numbers do not reflect the true volume of incidents, just those reported. They show how insider risk underpins the majority of data breaches suffered by organisations. Health, Education and Finance are the sectors with the most incidents.
According to Tony Pepper, CEO of Egress: “Insider risk is every organisation’s most complex security vulnerability, and the ICO’s latest report drives home the true scale of the problem. From misdirected emails to employees falling for phishing attacks, organisations are losing a staggering amount of data through their people. With many organisations aware of only a fraction of these incidents, the true cost of insider data breaches may be much higher than what we’re seeing here.
“The technology exists to solve this problem – it’s now up to organisations to ensure that they’re taking the right steps to ensure that their human layer is protected.”
Who is losing data, and how?
Most industries have issues, although reporting seems to be pretty variable. For example, there are no reports from marketing and PR companies about emailing data to the wrong person. From our inboxes here at Enterprise Times, that’s clearly wrong. A call to several contacts asking about this reveals that most don’t see this as an issue.
The data breaks into two distinct groups, non-cyber related incidents and cybersecurity incidents. Both show some significant concerns for certain industries.
Non-cyber related incidents
This group of incidents covers staff sending or verbally disclosing data to the wrong person. It includes losing paperwork or the loss/theft of devices.
Email data to the wrong person (443) is the most common cause of a breach. The most prolific offender is education (89), followed by health (67) and legal (65). It will be interesting to see if legal sees a jump in the next report. Solicitors rushed to complete before 30th June which means many lawyers reused boilerplate documents that weren’t always cleaned up.
Out of 14 sectors, health came top when it came to incidents (380), followed by education (262) and local government (211).
Human error is the cause of the majority of these breaches although better technology could have helped prevent some of them.
Incidents classed as cybersecurity issues show breaches are split between technical and human error. People related incidents included phishing (249), followed by unauthorised access (67) and hardware/software misconfiguration (36). How many of the unauthorised access incidents are internal vs external is not stated.
Technical threats also abounded with ransomware (150) and malware (46), also showing strong,
When it came to industry sectors, there was a distinct shift. Retail and manufacture (133) had the most incidents along with finance (96) and education (79). Again there is not enough clarity here. Are the education attacks down to students hacking into systems or installing crypto-mining tools as NTT recorded in their recent report? How many are state-sponsored attacks looking to steal research? This is where this type of report is not always helpful. There are just too many ways for the data to be misinterpreted.
Enterprise Times: What does this mean?
The number of reported incidents is predictably low. Companies will rightly look to avoid reporting an incident if they don’t need to. This makes it harder to understand the scope of the problem. It shows that there is much more that needs to be done by regulators. One of those steps is making all data breach incidents, irrespective of company size, reportable. That would give a far better view of the state of cybersecurity and data risk.
Such a move would have a cost and create a significant spike in the number of known incidents. However, it would be temporary, and it would provide a much clearer view of where organisations and industries are when it comes to data protection.
For now, the one thing that is abundantly clear from these numbers is that insider risk is a major problem. It is too simplistic to blame this on just poor user education. Organisations need to ensure they have the right tools, processes and other measures in place to catch and remediate these issues.