Data security incidents reported to ICO grew by 17% in Q4
18 May 2018
The Information Commissioner’s Office released its latest report on the trends in data security incidents reported to it between January and March this year, stating that the total number of such incidents grew by 17% compared to the October to December quarter.
Overall, the Information Commissioner’s Office received information on a total of 957 data security incidents in the quarter, up from 815 incidents in the previous quarter. In fact, the total number of reported data security incidents more than tripled when compared to those reported between January and March 2017.
As far as cyber security incidents are concerned, the ICO noted that this was the first time since Q4 of 2016-17 that the number of reported incidents had increased. In 2017, the number of incidents reported in each quarter fell from 119 in January-March to just 74 in October-December but shot up again to 97 reported incidents between January to March 2018.
Human errors making the healthcare sector highly vulnerable
The healthcare sector was the worst affected in Q4 2017-18 as far as data security incidents were concerned. The ICO noted that incidents suffered by the healthcare sector rose by 22% between Q2 to Q3 and by 21% between Q3 and Q4. In all, the healthcare sector suffered as many as 349 data security incidents between January and March this year.
A detailed chart shared by the ICO has revealed that a bulk of data security incidents suffered by the healthcare sector was due to carelessness and inadvertent errors on part of employees. For example, out of 349 such incidents, 72 occurred due to data being faxed or posted to incorrect recipients, 49 occurred due to loss or theft of paperwork, 45 occurred due to data sent by email to incorrect recipients, 27 occurred due to data left in insecure location, 13 occurred due to failure to redact data, and 6 occurred due to failure to use bcc when sending email.
Earlier this month, a survey carried out by UK data security pioneer Clearswift revealed that 45% of employees mistakenly shared sensitive emails with unintended recipients, leaking GDPR information such as bank details, attachments and personal data. It also revealed that a mere one in four employees (27%) would delete these emails from their inboxes and clear their deleted items, and less than half of employees were fully aware of the agreed process in their organisation when such an emails were received.
“To offset the inevitable risk associated with email communications, companies need a clear strategy, which encompasses people, processes and technology,” said Dr Guy Bunker, SVP products at Clearswift.
“Instilling the values of being a ‘good data citizen’ can engender a sense of data consciousness in the workplace, ensuring that employees are aware of responsible disclosure, and with whom this responsibility sits upon receiving an email in error. However, a formally agreed process or course of action is also a must. There is not a silver bullet and technology can once again offer assurances to help mitigate risks,” he added.
Security incidents suffered by other sectors
According to the ICO, aside from healthcare, several other sectors also saw a rise in reported data security incidents in Q4. While the education sector saw reported incidents rise from 96 to 127 and theft of paperwork rise from 6 to 16, charity organisations saw reported incidents rise from 35 to 59 and data sent to incorrect recipients by employees also rose from 4 to 20 between Q3 and Q4.
Other industries such as finance, insurance & credit and general business also suffered due to human error and inappropriate handling of data. Out of 61 incidents suffered by the finance, insurance & credit sector, 14 occurred due to data sent by email to incorrect recipients, 9 occurred due to data posted or faxed to incorrect recipients, and 6 occurred due to loss or theft of paperwork.
Earlier this month, writing for TEISS, Jon Fielding, Managing Director EMEA, Apricorn said: “Large volumes of corporate data and personally identifiable information (PII) are being physically taken out of the workplace every day. Mobile and removable devices are at high risk of loss and theft – and so is the information that resides on them, once it is moved or transferred outside the corporate network and systems.
“Limiting access to mobile technologies and applications is not the answer to safeguarding data – this will only restrict productivity. The best approach is to place the employee at the centre of a mobile security strategy that controls, monitors and securely manages data when it exists outside of central systems.
“Policies and procedures should not be hard to understand or adhere to – this is when employees will find workarounds or decide to take a short-cut. The more simple and seamless they are, the more likely it is they will be adopted by users,” he added.