The risk consulting firm Kroll recently published a report showing that in the United Kingdom the number of security incidents that have led to data breaches has grown by 75% in the last two years. The most affected sector is healthcare, with 1,214 registered security incidents, which represents a 41% growth in the period analyzed. This is followed by service companies, with 362 incidents; education and childcare, with 354; and local public administration, with 328. But, who is responsible for most of these data breaches? Is it always cyberattackers?
Internal responsibility
The analysis carried out by Kroll indicates that the number of security incidents caused by human error within organizations is far higher than those caused by external cyberattacks. Specifically, 2,124 incidents that can be attributed to human errors were registered, compared to just 292 corresponding to cyberattacks.
The most common incidents due to human error within organizations include data sent to the wrong recipient (447 incidents), loss of documents (438), and data left in an insecure location (164). The loss of theft of unencrypted devices such as pen drives is another frequent case shown in the report, with 133 incidents. In any case, Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice, highlighted with the report that, “a big regulatory change is behind the increase in this reporting of incidents”. That is to say, the implementation of the GDPR.
The impact of the GDPR
Beckett underlines the fact that “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so the recent rise in the number of reports is probably due to organisations’ gearing up for the GDPR. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported”.
This focus coincides with a topic we discussed in a previous blog post: reports for apparent non-compliance have increased in several countries. In this sense, it is possible that some businesses overshot the mark, and, despite the fact that they were already compliant with the new regulations, decided to send out an email to their users asking for permission to receive notifications. But, in spite of this, it’s worth taking it seriously, since the consequences of breaching the GDPR are extremely serious for two reasons:
- It has a strong negative impact on the company’s accounts, given that non-compliance can lead to penalties of up to €20 million or 4% of the company’s global annual turnover.
- It seriously undermines the business’s credibility, since, both in the minds of the public and within the sector, the company’s image will be associated with this violation.
How to avoid data breaches
The first step, as ever, is awareness and prevention: by law, it is necessary that all employees that manage personal information and data know the limits and obligations defined by the GDPR, as wells as the requirements that it demands for the processing, storage, and use of this data.
It’s also worth having company files that contain personally identifiable information audited, along with the users, employees or collaborators, and computers and servers that can access this information. It’s useful to carry out risk analysis for how data is treated within the company, establishing impact evaluations, and making sure the procedures for notifying the authorities of leaks are correctly implemented.
Finally, it is important for the company to have the capability to monitor and detect possible leaks or anomalous behavior in the use of files containing personal data in real time, with the aim of mitigating the breach as quickly and efficiently as possible once it has been detected.
To this end, it is very good idea to use solutions like Panda Data Control, that are capable of discovering, auditing and monitoring unstructured personal data (data that isn’t in a database or that is stored in some other data structure) on all endpoints. This way, it is possible to avoid unwanted access to your company’s sensitive data, guaranteeing that all personal data is registered and traced, and simplifying compliance with regulations such as GDPR and PCI-DSS.