In 2019, UK organisations reported more cyber security breaches to the ICO than ever before. A total of 2,376 reports were sent to the public body last year, up from 540 in 2017, and 1,854 reports in 2018 - the year that GDPR came into force.
Of those breaches reported in the last year, CybSafe found that 90 percent could be attributed to mistakes made by end-users. This represents an increase over 2017 and 2018, when respectively, 61 percent and 87 percent of cyber breaches could be ascribed to user error.
CybSafe found that phishing was the primary cause of 2019 breaches, accounting for 45 percent of all reports. In 2017, only 16 breach reports were made to the ICO as a result of successful phishing attacks. This jumped to 877 phishing reports in 2018, and in 2019, UK organisations reported a record 1,080 phishing-related breaches to the ICO.
Behind phishing, ‘unauthorised access’ was the second most common cause of cyber breaches last year, with 791 breaches reported to the ICO. Other notable causes for breaches included 243 reports related to malware or ransomware, 64 related to hardware/software misconfiguration, and 34 related to brute force password attacks.
Oz Alashe, CEO of CybSafe, said: “As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.
“Though shocking, these statistics shouldn’t provoke a negative reaction. Employees, of course, pose a certain level of cyber risks to their employers, as seen in our findings thus far. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber risk can almost always be significantly reduced by encouraging changes in staff cyber awareness, behaviour, and culture.
“The most recent annual Cyber Security Breaches Survey from the government found the staff from just under three in ten businesses have attended internal or external cybersecurity training in the last 12 months. So at a national level, there’s clearly lots of room for improvement.”