90 per cent of cyber data breaches were caused by user error last year, according to analysis of data from the UK’s Information Commissioner's Office (ICO) by the cyber security awareness and data analytics company, CybSafe.
In 2019, UK organisations reported more cyber security breaches to the ICO than ever before. A total of 2,376 reports were sent to the public body last year, up from 540 in 2017, and 1,854 reports in 2018 - the year that GDPR came into force.
Of those breaches reported in the last year, CybSafe found that 90 per cent could be attributed to mistakes made by end-users. This represents an increase over 2017 and 2018, when respectively, 61 per cent and 87 per cent of cyber breaches could be ascribed to user error.
CybSafe found that phishing was the primary cause of 2019 breaches, accounting for 45 per cent of all reports. In 2017, only 16 breach reports were made to the ICO as a result of successful phishing attacks. This jumped to 877 phishing reports in 2018, and in 2019, UK organisations reported a record 1,080 phishing-related breaches to the ICO.
Behind phishing, ‘unauthorised access’ was the second most common cause of cyber breaches last year, with 791 breaches reported to the ICO. Other notable causes for breaches included 243 reports related to malware or ransomware, 64 related to hardware/software misconfiguration, and 34 related to brute force password attacks.
Oz Alashe, CEO of CybSafe, said: “As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.”
“Though shocking, these statistics shouldn’t provoke a negative reaction. Employees of course pose a certain level of cyber risks to their employers, as seen in our findings thus far. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber risk can almost always be significantly reduced by encouraging changes in staff cyber awareness, behaviour, and culture.”
“The most recent annual Cyber Security Breaches Survey from the government found staff from just under three in ten businesses have attended internal or external cyber security training in the last 12 months. So at a national level, there’s clearly lots of room for improvement.”
Since the introduction of the General Data Protection Regulations (2016) in May 2018, UK businesses and organisations are required by law to report data breaches and successful cyber attacks to the ICO.