ICO DATA ANALYSIS: Human Error to Blame for 8 in 10 Data Breaches in 2021

  • Risk Management
  • 20.06.2022 02:30 pm

80 per cent of data breaches in 2021 were caused by user error, according to a new analysis of data from the UK’s Information Commissioner's Office (ICO) carried out by cyber security awareness and data analytics company, CybSafe

In 2021, UK organisations reported an alarming number of cyber security breaches to the ICO. A total of 2,692 reports were sent to the public body last year, consistent with the reports shown in 2020. The past two years have revealed the highest number of cyber incidents reported since GDPR came into force. 

Of breaches reported in the last year, CybSafe has found that 80 per cent of these incidents could be attributed to actions taken by end-users. While it's promising to see this decrease from 90 per cent in 2020, a significant proportion of data breaches are still caused by human error, highlighting the need for organisations to do more to consider the human factor within their security strategy.   

CybSafe found that phishing was the primary cause of breaches in 2021, accounting for 29 per cent of all reports. In 2020, nearly 38 per cent of breach reports were made to the ICO as a result of successful phishing attacks. Although phishing attacks have declined in the last year, ransomware continues to be a growing risk to every sector.  

The steep rise in ransomware attacks, with 692 incidents reported in 2021 alone, became the second most common cause of cyber breaches last year. Causing 20 per cent of all cyber incidents, ransomware poses a significant threat to the safety and privacy of various organisations. 

Oz Alashe, CEO of CybSafe, said: “As identified in the analysis, human error is a major contributing factor enabling attackers to access sensitive information and encrypted channels within organisations. Cybercriminals will often identify the route of least resistance and exploit the vulnerabilities of employees. Therefore, it is crucial that we shift our focus onto user security behaviours within our businesses.” 

“To combat the threat of cyber security breaches, we need to get rid of box-ticking awareness exercises and address the human aspect of cyber security to achieve genuine behavioural change. An empathetic and understanding approach is likely to have the desired outcome of improving employees’ security awareness and their behaviour, without negative consequences.” 

“Addressing this issue is key to reducing successful attacks against organisations. People have an important role to play in helping to protect the companies they work for, and human cyber-risk can almost always be significantly reduced by encouraging changes in staff cyber-awareness, behaviour, and culture,” Alashe concluded. 

Related News