Gemalto’s 2017 Breach Level Index Report shows that it is UK employees, rather than cyber criminals, who are more likely to compromise company data.
The figures suggest that, despite the looming deadline for the General Data Protection Regulation (GDPR), employers haven’t been putting enough emphasis on employees’ data protection responsibilities or setting up policies, security and training to prevent such costly mistakes.
According to the report, nearly three out of four (72 %) breached records in 2017 were attributed to accidental breaches by employees. By contrast, cyber-attacks accounted for only 23% of compromised data.
That said, the UK has significantly improved its levels of data breach prevention and damage mitigation, with a 40% decrease in the number of breached records compared to 2016. These figures far outstrip global trends, which saw an 88% increase in the number of breached records.
The UK also experienced a 26% decrease in the number of incidents leading to data breaches, compared to an 11% decline in breaches globally.
However, the report also shows that the UK accounted for a massive 80 out of 112 major data breaches in Europe.
In comparison, Finland was reportedly responsible for only two data breaches. It’s worth pointing out, however, that these figures refer only to the number of breaches reported. For the UK, the level of reporting is likely to increase even further with the implementation of the GDPR in May.
Globally, 1.9 billion – a shocking 580% more – records were accidentally compromised than in 2016. Accidental breaches included employees misconfiguring databases, losing data or disposing of it improperly.
The number of breached records due to malicious insiders – i.e. employees who deliberately misuse data – more than doubled – from 14 million to 30 million. This could, in large part, be attributed to organisations being slow to revoke data access via log-in details of disgruntled ex-employees.
The report advises organisations to take control of data protection and invest more in security and employee training to mitigate the cost and adverse consequences of data breaches.
Organisations seeking GDPR compliance should encrypt all sensitive data at rest and in motion, and securely store and manage all encryption keys. They should control access and user authentication. To prepare for the inevitable digital attacks, organisations should also revise and test incident response and disaster recovery plans. Employee training will help create a security-aware culture and help towards GDPR compliance.
To help UK organisations, Me Learning has worked with specialist data privacy lawyers Clayden Law to develop a wide portfolio of online GDPR training courses. For more information click here.