The UK Information Commissioner’s Office (ICO) latest data security incident trends revealed that non-cyber incidents significantly outweighed cyber-incidents during Q4 of 2019.
Of the 2629 incidents reported, 337 were due to “data emailed to incorrect recipient,” 265 were due to “data posted or faxed to incorrect recipient” and 213 due to “loss/theft of paperwork or data left in insecure location.” Such non-cyber incidents represent data leaks deriving inadvertently from people inside the organisation.
By contrast, looking at the main cyber-incidents reported in Q4 (categorising malicious data breaches by outsiders), 280 were as a result of phishing and 175 due to unauthorised access.
This prevalence of accidental data leakage is echoed by Verizon’s 2020 Data Breach Investigations Report which found that – on a global scale - errors have become ubiquitous and are now equally as common as socially engineered breaches, and even more common than malware.
An additional finding from the ICO’s report was that 20% less data leaks were reported in the UK during Q4 2019 compared to Q4 2018, with a declining trend. DLA Piper’s GDPR Data Breach Survey 2020, however, revealed that all other countries in the EU showed a significant increase of reported data leaks – up by more than 50% on average.
Digging deeper, DLA Piper’s survey disclosed there were 'only' 11,500 data leaks reported in the UK in 2019. This is an average of 18 data leaks reported per 100,000 inhabitants. Looking at Ireland and the Netherlands, the countries with the best reporting culture in the EU, the equivalent number was 140 data leaks per 100,000 inhabitants – reflecting a reporting growth of more than 75%.
If similar reporting levels were applied to UK inhabitants, this means that in the UK the number of reported data leaks should be around 100,000 and growing, instead of 11,500 and declining. This can only be explained by a lack of incentive or awareness for companies to prevent, report and act upon data leaks, most likely because of their assessment that the risk of a fine or reputational damage is - in the case of experiencing a data leak and not reporting it - low.
Assessing these numbers, we would hope that UK organisations - and the government – start to take people's privacy more seriously than they appear to do currently.
Here are some steps organisations can take to get on the right path:
·Increase employee awareness of how errors happen and the associated implications. This has been named as one of the most important measures in the EU’s GDPR (and similar legislation, including the UK’s DPA), and is the key to targeting the main source of data leaks: people inside the organisation.
·Find a best-practice, user friendly secure email solution that easily integrates with workers existing email tools – such as Outlook and Gmail – to avoid disrupting their usual way of working, as changing the behaviour of people is one of the hardest things to do.
·Ensure the solution employs multiple security measures at each stage of an email’s journey, i.e. before, during and after transmission – so the content is only read by the right person. Such measures include real-time data classification, guaranteed message encryption and strong two-factor authentication.
·Above all, it is important for organisations to adopt an approach that educates workers with good information-sharing practices, supporting them to make safe decisions when sending emails.
Combining technology and training in this way is essential in the quest to reduce human error data leaks. Getting staff onboard is fundamental, ideally using an interactive and engaging security awareness programme; one that is tailored to specific job roles.
The right technology solution will also help staff to do their job more effectively, and with added confidence. Especially if working in highly regulated sectors such as healthcare, local government, legal and insurance, where data privacy and compliance must be carefully considered in every stage of the communications process.
Looking ahead, the reality is that threats to data privacy are only going to increase – and regulatory compliance is, therefore, likely to become ever more demanding and complex. Not least in light of the Covid-19 prompted contact-tracing apps and telephone tracking now being used in many countries around the world.
With this in mind, those organisations that encourage a security aware culture among its staff now -while simultaneously introducing digital tools to help workers easily avoid human error data leaks - will be best placed to cope with the data privacy requirements of the future. Keeping the organisation’s reputation, and performance levels, intact – with motivated, security aware staff and happy customers yielding the opportunity to thrive.