London - 28th May 2020 -The Information Commissioner’s Office (ICO) latest report on data security incident trends shows a pronounced uptick in human-activated incidents. Categorised primarily by the ICO as ‘non-cyber incidents’, these are caused by people’s behaviour putting data at risk, with the top three for the Q4 report:
- Data emailed to an incorrect recipient
- Data posted/faxed to an incorrect recipient
- Loss/theft of paperwork or data left in an insecure place
Misdirected emails are a bigger security threat than phishing
Data emailed to incorrect recipients – more commonly known as ‘misdirected emails’ – was the number one cause of categorised incidents reported to the ICO in the timeframe. Data breaches resulting from misdirected emails are a global and ubiquitous problem: everyone has access to email, and while organisations often focus on how it can be exploited for inbound attacks like phishing, the ICO’s statistics show that ‘inadvertent insiders’ making mistakes are actually a far greater risk:
Misdirected emails accounted for 20% more reported incidents than phishing attacks (the second highest cause of incidents in the Q4 report) and this is a problem that has grown by 25% since Q3 2019.
What’s more, remote working during the COVID-19 lockdown has only amplified this issue. At Egress, we have seen an average 23% rise in email usage, as organisations rely even more heavily on it as a critical business communication tool. Alone, this increases the risk of someone sending an email to an incorrect recipient or attaching the wrong document – and we must add to this the disruption caused by working from home, whether that’s using mobile devices or laptops with smaller screens, or working later into the evening to accommodate daytime childcare or other commitments.
Healthcare, legal and financial services have cause for concern
The ICO’s statistics show the top five sectors reporting the most security incidents are:
- Financial Services
- Local Government
Again, we see from the report that human behaviour has a significant impact on data breach incidents in all these sectors, which are trusted with confidential personal data on behalf of their clients and service users.
For healthcare, legal, financial services and local government, the top three categorised incidents are: misdirected emails, posting or faxing data to the wrong recipient, and loss or theft of paperwork. Only in the education sector do phishing attacks rank as the second highest cause of breaches, behind misdirected emails.
As well as emailing the wrong recipients, organisations’ continued reliance on fax and post to share sensitive data remains a concern – especially in healthcare organisations, where faxes have been outlawed for the NHS by Health Secretary Matt Hancock. It’s clear that all organisations must find a solid route to secure digitisation, particularly in the current climate in which reliance on fax and post can’t be effectively sustained due to social distancing.
Secure digitisation must become the priority
The UK and the rest of the world remain in a state of flux due to the COVID-19 pandemic. But throughout all industries, this is also proving to be a time of revolution for secure digitisation. Large-scale remote working and social distancing are forcing organisations to re-examine established processes, providing opportunity for innovation that leads to improved security, efficiency and cost-effectiveness.
The findings from the ICO’s report focus this process. In all possible scenarios, paper-based processes must be digitised. Then the latest in intelligent technologies, like contextual machine learning, can be overlaid to provide a safety net that detects when human behaviour is about to put data at risk – for example, by spotting incorrect recipients in an email and alerting a user before they hit ‘Send’.
It is imperative that organisations take this opportunity for secure digitisation – to ensure better data protection for citizens, as well as operate with maximum efficiency in the times that are ahead.
Read the ICO's report
Click here to access this data on the ICO's website.