Human error, poor processes and inadequate systems accounted for virtually all the data breaches reported to privacy watchdog the Information Commissioner’s Office (ICO) in the second quarter, according to new figures.
Encryption firm Egress submitted Freedom of Information requests to the ICO comparing April-June 2013 with the same period this year and found that 93% of breaches in Q2 2014 were down to simple mistakes while 7% were due to technical issues.
It also found that no fines have yet been issued as a result of breaches caused by technical failings, whereas £5.1m has been levied for mistakes made by those handling sensitive data.
The stats show sharp rises in breaches due to human error across the board from 2013 to 2014; in healthcare (up 101%), insurance (200%), education (56%), lenders (200%) and general business (143%).
As a result, the ICO has doled out over £6.7 million in fines since 2010, with the majority (£4.5m) aimed at public sector organizations.
Brighton and Sussex University Hospitals NHS Trust has received the largest fine to date – £325,000 – contributing to a total of £1.3m for the healthcare sector as a whole.
During the first quarter of 2014, 25% of reported breaches were down to “accidental loss or destruction of personal data,” up from 15% in the second half of 2013.
The findings echo those of consultancy IT Governance, which found that poor information security accounted for 94% of all notices issued by the ICO over the past 22 months. It found that the average cost of a data breach as a result of action by the privacy watchdog was over £35,000.
“As the analysis shows, despite the fact APTs and sophisticated malware often dominate the security agenda, the reality is that the biggest risk to companies is much more mundane: human error,” Egress CEO Tony Pepper told Infosecurity.
“It is clear that the substantial investment in training processes and policy is not curbing the considerable rise in data breaches and incidents, and users are still uneducated about the risks.”
He added that policy alone will never solve the data breach problem, so firms must prioritize investments in security tools.
“Organizations should invest in the right tools, focusing on smart, simple-to-use, effective data security solutions that protect end-users from making mistakes and protect organizations and external third parties from data breaches,” he argued.