The 2021 ICO Annual Report highlights areas of concern for UK organisations, including the rise of ransomware, the constant threat of email phishing, and the lack of public faith in companies’ handling of data.
Let’s dive into some of the more interesting findings from the regulatory body’s latest report.
ICO leniency around breach fines
Perhaps surprisingly, the regulator issued just three GDPR fines in 2020/21, two of which were greatly reduced in response to the difficulties faced by business during the pandemic. British Airways and Marriot Hotels both saw a significant reduction in their GDPR fines due to the financial impacts of COVID-19.
With shoots of recovery from the pandemic starting show, will this leniency from the ICO continue? Or should organisations who cause data breaches be more concerned about the prospect of consumer lawsuits, rather than regulatory fines? Egress CEO Tony Pepper had this comment to make: “The ICO has shown leniency to businesses during the pandemic, issuing just three fines in the last year, with two of these greatly reduced. However this sympathetic approach is not being mirrored by consumers. In an unexpected twist, the pain of GDPR is being felt in the courtrooms, not in regulatory fines.”
“The data subjects involved in these incidents aren’t necessarily forgiving. A recent survey by Egress found that almost half of UK consumers would join a class-action lawsuit against a company that had breached their data. Companies are increasingly finding themselves facing significant legal costs and settlements, as we've recently seen with a spate of data breaches, including the British Airways breach. Organisations must be ensure that they’re being proactive when it comes to data breach prevention.”
Lack of public faith in data privacy
Some of the ICO figures back up IT leaders’ fears that consumer litigation could grow in the coming years. Since the introduction of GDPR in 2018, the general public have become more aware of their data privacy rights. From mid-2020 to mid-2021, the ICO resolved more than 30,000 complaints made by members of the public concerned that their data rights had not been respected.
They also ran an additional survey to gauge public opinion on data privacy. Findings showed that that only 28% of people have high confidence in companies and organisations storing and using their personal information. This highlights a clear area of differentiation for businesses with an excellent reputation for data security.
Ransomware attacks have doubled
The report revealed worrying figures about ransomware, a dangerous form of cybercrime that’s currently plaguing businesses. While the most recent high-profile stories have come from the US, such as the Colonial Pipeline and Kaseya attacks, it would be a mistake to think this is solely a US problem.
The ICO report data was further analysed by British cybersecurity and data analytics firm CybSafe. They found that ransomware attacks on UK organisations have doubled in the first half of 2021 alone. Results showed that 22% of all cyber incidents in 2021 were ransomware, compared to 11% in the first half of 2020.
This is a worrying trend that businesses need to get on top of fast – and the key to doing so could lie with email phishing.
Phishing is still the most common cyber incident
In the first half of 2020, phishing attacks accounted for 44% of all cybercrime reported to the ICO. This figure dropped slightly to 40% in the first half of 2021, but phishing is still the primary cause of all cyber incidents reported to the ICO. This is unsurprising, and the prevalence of phishing ties directly into the rise in ransomware.
Over 90% of ransomware attacks are delivered via email phishing, with cybercriminals increasingly purchasing ransomware software though Crime-as-a-Service channels and then delivering it into organisations via email. Have a watch of the below video for more information on how to ‘kill the kill chain’ and protect your business from ransomware-loaded phishing attacks.
Education and healthcare have been hit hard
According to the analysis, the healthcare sector was responsible for the most personal data breaches. It has of course been a very challenging 18 months for the healthcare industry. On top of the usual risks around accidental data loss in a fast-paced environment, they’ve had to deal with a multitude of COVID-19 related scams.
Education was second only to healthcare in personal data breaches, and the hardest hit sector by cyber incidents in 2021. This might surprise some, with financial services, law, and healthcare firms seemingly more lucrative targets. However, with schools, colleges, and universities making the transition to remote learning during the pandemic, many have been left wide open to cyberattacks.
The CybSafe analysis showed that ransomware attacks accounted for 32% of the attacks on schools and universities. This figure was 11%, only one year ago. These findings are a concern for IT leaders within education, with coursework, financial records, and COVID-19 testing data all at risk of being breached in the event of an attack.
How to stop breaches
The ICO’s latest report should give concern to UK IT leaders. However, there is help available in the form of intelligent technology. Egress offer a market-leading, AI-powered Intelligent Email Security platform that can protect your business from the full spectrum of data breaches:
- Egress Prevent: Stops deliberate and accidental data loss, keeping you stay safe from regulatory fines and class action lawsuits
- Egress Protect: Automatically encrypts all outgoing email and email attachments in line with GDPR regulations
- Egress Defend: Catches even the most sophisticated forms of phishing through machine learning and natural language processing
If you’d like to learn more about the threats covered in the ICO report and how to combat them, we also have dedicated information hubs on both email data loss prevention and phishing for you to explore.