Data protection basics and the top causes of data breach in Q3 2022
News and information from the Advent IM team.
The basics still appear to be the biggest challenge to successful data protection.
The Security Incident Reports from the ICO are always a useful indicator of the kind of failures organisations experience when it comes to losing, invalidating or revealing data they shouldn’t. When it comes to gauging the state of UK data protection and security practices, it’s a good yard stick. This latest quarter is no exception. There are a few standout issues in data protection effectiveness highlighted in the recent report and I wanted to think about what some of the drivers might be.
Overall, the largest group of data breaches remains, data emailed to an incorrect recipient1 with 419 reports in the latest quarter, this type of breach grew at +6% vs Q2 and it grew the previous quarter too. So, although it isn’t the fastest-growing type of breach, it is very important because it is far and away the biggest. So, it will come as no surprise to learn that despite the huge levels of malware and ransomware we deal with each year, breaches classed as Non-Cyber, still number very much higher than Cyber, almost three to one. Indeed, the latest quarter sees Cyber based data breaches in a decline of -12% while Non-Cyber breaches have grown by +3%. This would suggest cultural, behavioural, or training issues.
We have to ask ourselves why this is such a frequent cause of breaches and to do that, we need some extra data because we have, over the years, established that training is an area that rarely receives the same level of budget that tech enjoys, this never seems to change. So, the fact that it is growing begs some questions…are we sending more emails than we used to? Are we sending things by email that we never used to? Are more organisations or sectors now falling prey to this kind of breach? In short, what has changed that we are struggling to manage?
One of the first things that spring to mind is lockdown, changes to working environments, and remote teams that are perhaps less comfortable in their new environments. Looking at the data from Tessian Research2, for which they quizzed UK and US employees on areas such as sending emails to incorrect recipients and falling for phishing emails, we can see some insight. The top four reasons offered by employees who had caused a breach this way were; Pressure to Send Email Quickly, I Wasn’t Paying Attention, I Was Distracted and I Was Tired. All of these feel like issues that could be worsened by a change in the working environment. There was a rise in ‘Pressure to Send Email Quickly’ from 34% in 2020 to 50% in 2022, this was the biggest year on year change and if we go back and look at the ICO figures to see where the greatest number of breaches of this type have happened, we can see Health, Education, Local Government and Finance/Insurance/Credit are some of the key sectors. Not coincidentally, areas most impacted by managing the Covid Pandemic, be that in terms of our physical well-being, financial well-being, our children, and our amenities; under pressure, coping with high levels of illness and absent staff too in many cases as well as some newly remote teams struggling to cope with new environments that they were not prepared for. The category of ‘Pressure to Send Email Quickly’, is also a worrying one when we consider how phishing emails, the number one attack vector, rely on recipients acting without thinking, for success. Not surprisingly, if we look at successive ICO reports we see that phishing is a very common cause of data breaches and the success of this attack vector relies on the recipient acting fast without thinking…A very clear training and education requirement here.
Switching attention to Cyber breaches, I wondered if I would find any evidence to support the ‘change of environment’ question. What I found is that Hardware/Software Misconfiguration is the fastest-growing breach in the Cyber Breach area. With a growth of +18% in the last quarter, mostly driven by, Health and Education, the previous quarter (Q2 2022 vs Q2 2021) also showed year-on-year growth. This would correspond with the growth of remote teams and the impact of the pandemic. It made me wonder about speedy rollouts of equipment to teams that again were ill-prepared for a new way of working and perhaps configurations were not always as good as they could have been. Now would be the ideal time to review that of course, as many organisations are embedding hybrid or remote working into their cultures now.
If you would like support with data protection services or training, we can help. Call us with no obligation and find out how easy it is to engage with our experts.
__________________________________________________________________________________
1 ICO Q3 2022 Security Incident data ICO.org
2 Tessian Psychology of Human Error 2022