The study, carried out by Kroll, took into account an array of personal data, including health, financial and employment details.
Access to this data was made possible under the Freedom of Information Act, in addition to some ICO data being publicly available.
Kroll found that over 2,000 reports received by the ICO within the last year could be attributed to human error, compared to just 292 that were deliberate cyber incidents.
Of the reports that were possibly caused by human error, the most common breach types were identified as emails to incorrect recipients (447), data posted or faxed to incorrect recipients (441), and loss or theft of paperwork (438).
As for purely cyber-related attacks without human involvement, the most frequent type within the last year was unauthorised access (102).
Additionally, the health sector was revealed to be the most common source of data breach reports, yielding a total of 1,214, with general business (362), which yielded the highest increase percentage over the past two years (215%), following behind.
GDPR an Important Factor
Kroll said that the increase in reports indicates a correlating increase in transparency on the part of companies as a result of the EU General Data Protection Regulation (GDPR)’s introduction back in May.
“Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force,” explained Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, “so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK.
“The recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.
“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20 million or 4 per cent of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”
The Importance of Automation
Commenting on the finds from Kroll, Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland, said that companies need to support users, helping them become “the strongest link, not the weakest.”
She said: “This needs to go beyond just providing users with security and privacy training and awareness. There also needs to be mechanisms in place to identify and prevent internal data leakages from occurring.”
Ms Armstrong-Smith went on to explain the role of automation in possibly improving data security.
“Automation is helping organisations to detect and respond to changes and adapt policies to protect people and to enable them to be compliant. Not only this, but automation can help organisations react quicker and respond to a breach should it happen.
“They can do it proactively, report it in a timely and compliant way, and ensure they take control of events, rather than the other way around.
“To be truly effective when it comes to protecting personal data requires a mix of people, processes and technologies: all of which have to be carefully aligned so that everything fits together properly.
“At the end of the day, security alone cannot stop a breach, it requires a cultural shift to embed data governance throughout an organisation.”
Nominations are now open for the Women in IT Awards London and Women in IT Awards Silicon Valley. Nominate yourself, a colleague or someone in your network now! The Women in IT Awards Series – organised by Information Age – aims to tackle this issue and redress the gender imbalance, by showcasing the achievements of women in the sector and identifying new role models