Human error more damaging than cyber attacks

New figures highlight a concerning upward curve in reported data breach incidents, with human error remaining the main cause.

| 3rd Jun 16

Figures obtained by Egress Software Technologies via a Freedom of Information (FOI) request to the Information Commissioner’s Office (ICO) highlight a concerning upward curve in reported data breach incidents, with human error remaining the main cause.

The statistics provide a year-on-year analysis of Principle Seven security breaches of the Data Protection Act, examining the most recent incidents from 1st January – 31st March 2016 and comparing them against the same period in 2014 and 2015.

Worryingly, of the sectors compared over the three years, 66% reported an increase in data breach incidents. Charities saw a rise of 109% in the period.


Human error

For January to April 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO – far outstripping other causes, such as insecure webpages and hacking, which stands at 9% combined. Despite this, the market attention and resource continues to focus on external threats, in particular cyber-attacks and hackers. This is supported by a survey of published by Egress earlier this year which showed 49% of CIOs are prioritising hackers and only 20% considering human error a top priority.

Categorisation by the ICO of the types of breaches caused by human error reveals the major causes as:

  • data posted or faxed to the wrong recipient (17%)
  • loss and theft of paperwork (17%)
  • data emailed to the wrong recipient (9%)

Other causes included insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data.

Egress CEO Tony Pepper commented: ““The fact that so many breaches are caused by methods of working that are known data breach pitfalls – such as faxing and posting sensitive information, or using plaintext email – should be a major concern for all organisations. Organisations need to begin gaining a holistic understanding of the information security measures they have in place.

“This begins with examining the nature of the data produced and handled by their staff, and using a classification tool to mandate how that it is treated. Next, they need to make sure that, when required, the data is released in the correct manner. Integration between classification policy and tools, such as email encryption and secure online collaboration, can ensure the correct protection and control is applied to the data when it is released from their environment – functionality obviously not available in more traditional ways of working.”