Cyber security data breach reports continued to flood in to the Information Commissioner’s Office (ICO) last year, with phishing proving to be the top cause of breaches, according to new analysis of ICO data between 2017 to 2019.
The analysis conducted by the intelligent cyber security awareness platform CybSafe found that in 2019, UK organisations reported more cyber security breaches to the ICO than ever before. A total of 2,376 reports were sent to the public body last year, up from 540 in 2017, and 1,854 reports in 2018 – the year that GDPR came into force. Based on these figures, cyber breach reports to the ICO increased by 28 per cent from 2018 and 2019.
Phishing data breach reports have increased even more significantly over the last three years. In 2017, only 16 breach reports were made to the ICO as a result of successful phishing attacks. This jumped to 877 phishing reports in 2018, and in 2019, UK organisations reported a record 1,080 phishing-related breaches to the ICO – representing 45 per cent of all cyber security data breach reports received by the ICO that year.
In 2019, phishing was therefore the most common reason cited for cyber data breaches. ‘Unauthorised access’ took second place, with 791 breaches reported to the ICO. Other notable causes for breaches included 243 reports related to malware or ransomware, 64 related to hardware/software misconfiguration, and 34 related to brute force password attacks.
CybSafe’s research illustrates the continued prevalence of human-focused attacks and breaches. Considering all cyber security reports received by the ICO in 2019, the company suggests that over 90 per cent can likely be attributed to some form of user error or mistakes, as opposed to hardware or software security vulnerabilities.
Commenting on the company’s latest analysis, Oz Alashe, CEO of CybSafe, said: “With GDPR causing a massive surge in reporting during 2018, we might have expected that reports to the ICO would taper off in 2019 – but this wasn’t the case. 2019 surpassed the numbers achieved in the previous year quite dramatically. In terms of human error data breaches, it was a particularly significant year.”
“As for lessons learned, there’s a lot to take away from these figures. As a nation, we can’t begin to address cyber risk if we only concentrate on technical threats. The human side of the equation is so important. Simple attacks, especially social engineering attacks, continue to dominate the threat landscape. And it’s hard to see that situation changing significantly in the next few years.”
“With end-user mistakes often being either a cause or catalyst in the majority of breaches, British businesses and public sector organisations need to be asking whether they’re doing enough to minimise that risk. Are they doing anything at all, and if they are, is it really making a difference?”