CybSafe found that in 2019, UK organisations reported more cyber security breaches to the ICO than ever before. A total of 2,376 reports were sent to the public body last year, up from 540 in 2017, and 1,854 reports in 2018 - the year that GDPR came into force. Based on these figures, cyber breach reports to the ICO increased by 28 per cent from 2018 and 2019.
Phishing data breach reports have increased even more significantly over the last three years. In 2017, only 16 breach reports were made to the ICO as a result of successful phishing attacks. This jumped to 877 phishing reports in 2018, and in 2019, UK organisations reported a record 1,080 phishing-related breaches to the ICO - representing 45 per cent of all cyber security data breach reports received by the ICO that year.
In 2019, phishing was therefore the most common reason cited for cyber data breaches. ‘Unauthorised access’ took second place, with 791 breaches reported to the ICO. Other notable causes for breaches included 243 reports related to malware or ransomware, 64 related to hardware/software misconfiguration, and 34 related to brute force password attacks.
CybSafe’s research illustrates the continued prevalence of human-focused attacks and breaches. Considering all cyber security reports received by the ICO in 2019, the company suggests that over 90 per cent can likely be attributed to some form of user error or mistakes, as opposed to hardware or software security vulnerabilities.
Commenting on the company’s latest analysis, Oz Alashe, CEO of CybSafe, said: “With GDPR causing a massive surge in reporting during 2018, we might have expected that reports to the ICO would taper off in 2019 - but this wasn’t the case. 2019 surpassed the numbers achieved in the previous year quite dramatically. In terms of human error data breaches, it was a particularly significant year.
“With end-user mistakes often found to be the cause or catalyst of the majority of breaches, there’s a clear opportunity for the channel to step up and offer expertise and workable programmes. The channel needs to start the conversation with their customers about whether they’re successfully minimising human risk. Many companies won’t be doing anything at all to tackle these types of cyber risks, and those that are doing something, often won’t be using cost-effective, impactful, and measurable solutions.”