Research carried out by Egress Software Technologies at Infosecurity Europe 2016, has confirmed many organisations are not currently doing enough to protect sensitive data and fear a data breach as a consequence. This is particularly concerning given the upcoming data protection reforms planned across Europe, which raise the potential financial penalties that will be applied as a result of a breach.
In summary, the results showed:
- 66% of those surveyed acknowledged their organisation could be doing more to improve data security ahead of the EU GDPR
- 61% admitted to having had a data breach within the last the 12 months
- 66% of these breaches were caused by staff disclosing information in error
- 41% thought senior management need to make data protection a higher priority
- 73% said they had recently invested in information security solutions
- 77% expect their organisation to increase spend on data protection products in the next 12 months
Changing the face of the information security industry: The EU General Data Protection Regulation
Data breach incidents are continuing on their upward trend. Statistics obtained under a Freedom of Information (FOI) request to the Information Commissioner’s Office (ICO) have demonstrated this is true for 66% of sectors.
It is therefore probably little surprise that two-thirds of those surveyed at Infosec 2016 admitted their organisation should be doing more, particularly in light of the upcoming EU GDPR.
However, there has been some ongoing speculation by commentators about what the Brexit referendum will mean for the upcoming EU GDPR. Two years in the making, the EU GDPR is set to bring in radical changes to how European countries handle and process data. These include mandatory reporting of data breach incidents to a regulator for all organisations, ‘Privacy by Design and by Default’, the need to appoint data protection officers, and the requirement to gather valid consent from individuals to process their data.
Non-compliance with the regulation could see organisations fined up to 4% annual global turnover or €20,000,000 (whichever is higher).
Since the Brexit referendum, and as discussed in another recent blog article, the ICO has continued to point to the EU GDPR as the new standard for data protection. Moreover, while nothing can, as yet, be said for certain for the UK’s own legislation, companies trading with the single market will still be expected to adhere to the EU GDPR. The ICO has also cited the regulation as best practice and acknowledged that they intend to continue delivering the highest levels of data protection.
All in all, even if it is not the actual EU GDPR that the ICO is enforcing in future, any new legislation is likely to be very similar. Worryingly, therefore, we can still expect two-thirds of firms not to be protecting commercially and personally sensitive data to the best possible standard.
The top cause of data breaches
61% of those surveyed admitted to having suffered data breach within the last year, with 66% of those attributing it to human error. Additionally, 41% said their senior management team don’t prioritise data security highly enough.
This backs up other research we recently conducted, examining board-level priorities for information security and revealing that only 20% are focusing on accidental data breached.
What we’re seeing, then, is a continued upward trend in data breaches, the vast majority of which are caused by human error, but organisations applying information security spend elsewhere. All with more stringent data protection legislation(s) on the horizon.
What can be done to mitigate data breaches?
As the research shows, most data breaches caused by human error result from information being disclosed to the wrong recipients, or paperwork being lost or stolen.
Many of these breaches are known as common information security pitfalls, such as faxing and posting sensitive information to the wrong person, or sending a plaintext email to the wrong address. To tackle this, organisations need to gain a holistic understanding of the information security measures currently in place. The first step is understanding the sensitive data produced and handled by their staff, and implementing a classification tool to mandate how this information is treated.
The next step is to ensure that when sensitive data is shared, it is done so with the correct levels of encryption and control applied. By using a classification tool that integrates with, for instance, email encryption and secure collaboration solutions, you can ensure that the mandated level of protection continues.
Spending wisely in the information security market
It is encouraging to see that 73% of respondents noting that they had recently procured an information security tool, with 77% expecting spend to increase in the next 12 months. However, given the mismatch between board-level priorities and the reality behind data breaches, it is crucial this budget is applied wisely.
Again, this returns to taking a balanced and holistic approach to information security. Of course, organisations will continue to need to allocate budget on technology such as AV filtering and network protection – however, technology that reduces the likelihood of a data breach through human error also needs to appear of the budget sheet. As the research has shown, this issue must be addressed at by senior members of staff, of whom currently only 20% are considering human error as a major priority. It is only as a result of balancing these priorities that we will overcome the ongoing upward trend of data breach incidents.