IT leaders report surge in external breach Notifications to gov ICO
Recent findings from Apricorn, a leading manufacturer of hardware-encrypted USB drives, have highlighted a significant uptick in external notifications of cyber breaches to the Information Commissioner's Office (ICO). In their annual research into cyber breaches, encryption, and data security, Apricorn has revealed that 32% of UK security decision-makers surveyed said their organisation had been reported to the ICO for a data breach or potential breach by an external party since the General Data Protection Regulation (GDPR) took effect.
This number represents a notable increase from previous years. After a dip from 10% in 2021 to 4% in 2022, the figure has spiked to 32% in 2023. Experts speculate that this could either be a result of heightened public awareness about data breaches and the importance of reporting them or could indicate that organisations' internal teams may not be as informed about potential breaches as they ought to be.
Jon Fielding, Managing Director, EMEA at Apricorn, commented on the situation, stating, "Not all breaches are reportable, but likely recordable. The fact these breaches have been reported from outside the organisation may indicate that internal teams are not as aware as they should be of transgressions. But equally, if those doing the reporting simply work externally, this could reveal some confusion over how the breach should be reported and indicates the opposite – that staff are becoming more vigilant."
Interestingly, the study also highlighted that 40% of breaches or potential breaches were reported to the ICO by someone within the organisation. This again underscores the growing understanding of the significance of timely disclosure and remediation, especially in the light of stringent regulations like GDPR and the severe penalties that non-compliance can attract.
On the brighter side, the percentage of organisations stating they hadn't experienced a breach or potential breach has decreased from 14% in 2022 to 7% in 2023. This suggests that businesses are gradually implementing better measures to counteract data breaches.
However, the survey shed light on some areas of concern. Nearly half (48%) of the IT decision-makers surveyed felt that mobile or remote workers knowingly jeopardised corporate data in 2023. 51% of organisations anticipate these remote workers to be a potential breach risk. Additionally, 24% believe that mobile or remote working complicates GDPR compliance, a sentiment that could be linked to the rise in breach reports as remote working becomes more prevalent.
While ransomware attacks were the culprits in about 24% of breaches, insider threats, both unintentional (22%) and intentional (20%), seem to pose the most significant risk. Other notable causes of breaches include phishing emails (21%) and the loss or theft of devices containing sensitive corporate data (18%).
Fielding further added, "It seems the education is lacking when it comes to protecting against a breach, but employees are well practised in how to report them. Businesses need to think carefully about the former and being prepared for the when, and not the if. But the fact that almost double the number of breaches were caused by insiders as opposed to phishing attacks is startling given that phishing is widely regarded as the number one threat by many. What this tells us is that businesses should be looking to reinforce a culture of security and ensure data is protected at all times and at all costs!"