Data Driven Futures
Why do we cut corners

Human error remains primary data breach cause

Written by Peter Walker

New figures have revealed that of the 4,856 personal data breaches reported to the Information Commissioner’s Office (ICO) between 1 January and 20 June 2019, 60 per cent were the result of human error.

This is according to security firm Egress, which obtained the data via a Freedom of Information request. It found that of those incidents, nearly half (43 per cent) were the result of incorrect disclosure, with 20 per cent posting or faxing data to the incorrect recipient.

Nearly a fifth (18 per cent) were attributed to emailing information to incorrect recipients or failing to use Bcc, while five per cent were caused by providing data in a response to a phishing attack.

Tony Pepper, chief executive at Egress, called the statistics alarming, pointing out that organisations often fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person.

“Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user in mitigating the insider threat.”

The statistics compound findings from Egress’ insider data breach survey 2019, which gathered responses from over 500 IT leaders and 4,000 employees, which showed that 95 per cent of IT leaders are concerned about insider threat.

The research also revealed that 79 per cent of IT leaders believed that employees have put company data at risk accidentally in the last 12 months, whilst 61 per cent believe they have done so maliciously.

Analysing the ICO’s personal data breaches in this period, by sector, demonstrated the following industries top the list:

1. 18 per cent were reported within healthcare.
2. 16 per cent were reported within central and local government.
3. 12 per cent were reported within education.
4. 11 per cent were reported within justice and legal.
5. 9 per cent were reported within financial services.

In Verizon’s 2019 Data Breach Investigations Report, healthcare was the only industry where insider threat created more data breaches than external attacks – 59 per cent of data breaches were associated with internal actors. According to Verizon, mis-delivery was the most common type of human error that led to data breaches, making up 15 per cent of all breaches affecting healthcare organisations.

Pepper concluded by stating it is worrying when the ICO released its first quarter statistics last year it showed that between April and June 3,416 data security incidents were reported, most of which were again down to human error, failed processes and inadequate policies.

“The data revealed that of those 3,146 ‘security incidents’ incorrect disclosure of data accounted for 65 per cent, as opposed to external ‘cyber threats’ caused by malware, ransomware, brute force attacks and phishing, which accounted for around 13 per cent,” he added.