UK Reported security incidents increase ahead of GDPR
When GDPR comes into force next week, organizations will have 72 hours to report security breaches to a regulator once they become aware of them.
Ahead of the new legislation, the UK's Information Commissioner's Office (ICO) has released details of the latest data security trends. Reported incidents in the final quarter of 2017 showed a 17 percent increase over the previous quarter, perhaps indicating that companies are taking a more proactive approach to reporting as GDPR approaches.
Incidents in the education sector rose by 32 percent over the same period and those in the charitable and giving sector by 69 percent. Incidents involving data sent to a wrong email address rose from four to 20 in this sector. The health sector had the highest number of reports overall, since breach reporting is already mandatory. Here there were 45 incidents of data emailed to the wrong recipient and 72 of data posted or faxed to the wrong place.
"Looking at what incidents companies have reported into the ICO, it is clear that humans are still the weakest link in the cybersecurity chain," says Richard Walters, chief security strategist at CensorNet. "Employees across all sectors are emailing data to the wrong recipient, paperwork is being lost and stolen, and some sensitive information is even being posted out to the wrong people. As the apps available to employees at work increase, such as Dropbox, Google Drive or even Whatsapp and Facebook Messenger, you better believe staff are leaking data through those as well."
The figures underline the fact that GDPR is not just an IT issue. "Awareness throughout the organization is the major issue here," says Tony Pepper, CEO of Egress. "It is not enough for just your tech teams to be prepared, it is the employees across the company -- in marketing, HR, sales -- who handle personal data and are evidently putting it at risk. Ask yourself, are your staff aware of the practices you have put in place for GDPR? Have they been trained to use the technology you have implemented? Do they even know what counts as personal data? Awareness is the key to compliance and today's results strongly suggest that breaches are happening because employees are ill-informed in how to handle data."
Simon McCalla, CTO of Nominet echoes the need for effective training. "It’s perhaps unsurprising that data security incidents reported to the ICO in the first quarter of 2018 are on the up. As it points out, in the run-up to GDPR a lot of companies will have become more cautious about incidents and reporting them. Interestingly, there are far more incidents caused by human error than there are external cyber threats, suggesting that a lot more work needs to be done on training employees."
You can see full details of the data incident trends on the ICO's website. It plans to update the information each quarter, so it will be interesting to see what happens after GDPR comes into force.