Cock-up culture: Staff guilty of 90% of data breaches

The UK’s cyber security sector might be bulking up like a Love Island beau on steroids, but it seems companies need to look a little closer to home to protect their sensitive information, with a new study fingering humans for the vast majority (90%) of data breaches.

According to an analysis of Information Commissioner’s Office data – carried out by cybersecurity firm CybSafe – nine out of 10 of the 2,376 cyber breaches reported to the regulator last year were caused by mistakes made by end users.

This marks an increase from the previous two years, when respectively, 61% and 87% of cyber-breaches were blamed on user cock-ups.

However, it only details incidents which firms have fessed up to the ICO about; it is claimed that nearly half of all data breaches – especially internal ones – go unreported.

The CybSafe analysis cited phishing as the primary cause of breaches in 2019, accounting for 45% of all reports to the ICO. “Unauthorised access” was the next most common cause, with reports relating to malware or ransomware, hardware/software misconfiguration and so-called “brute force” password attacks also noted.

CybSafe chief executive Oz Alashe said: “As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.”

However, he added: “Employees of course pose a certain level of cyber-risk to their employers, as seen in our findings. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber-risk can almost always be significantly reduced by encouraging changes in staff cyber-awareness, behaviour and culture.”

Figures released earlier this week by the Department for Digital, Culture, Media & Sport, show the UK cyber security industry has rocketed from 846 companies three years ago to 1,200, with the market now worth an estimated £8.3bn a year.

This growth has also triggered a huge rise in employment, with the number of full-time roles up 37% over the past two years to 43,000.

A separate analysis carried out by SMS Works revealed that companies suffering data breaches are far more likely to be fined by the ICO than even the most rampant rogue marketers.

Since 2010, 110 fines have been handed out for data breaches; 50.9 % of the total. This represents a major change from two years ago, when a large proportion of fines were for so-called nuisance calls.