It has been revealed that data breaches are up 75% in two years, finds a report from the Information Commissioner (ICO). The report, which used data gathered under the Freedom of Information Act, found most data breach cases to be applicable to human error in some way. Offering insight are the following security experts:
Bob Egner, VP at Outpost24:
“This level of increase comes as no surprise, and correlates well with the security practices we encounter when working with our clients. The most secure companies we work with today have put a clear focus on creating a “culture of security awareness” that extends beyond the obligatory security and privacy training. These organizations have made security a key element in a variety of everyday tasks – from how meetings are conducted to employee performance reviews. When this approach is combined with appropriate technology, the organization can keep better control of their information without focusing on “who is responsible for the data breach.”
The impact to business and reputation have been well publicized, but many organization are not making the investment required before an unfortunate incident occurs – in spite of GDPR. In fact, we see early signs that theft of “low value” data suddenly becomes “high value” when the attacker turns to blackmail with stolen information. The victim feels compelled to pay just to avoid the GDPR penalty.”
Mayur Upadhyaya, Managing Director, EMEA at Janrain:
“The emerging trend that is highlighted in the Kroll analysis and request for information from the ICO is the level of human interaction required in the processing of personal data. This trend will only be on the rise post GDPR with the potential number of Subject Access Requests that will be manual processes. The combination of paper processes, security solutions built in-house and legacy shadow IT, does create a perfect storm. For instance, when dealing with call centres we still rely on knowledge as our primary source of identity resolution – this level of information can be found quite easily online. Organisations needs to find a more robust methods for storing customer identity and profile data, once these types of solutions are in place, augmenting with automation and anomaly detection becomes more actionable.”
Tim Sadler, CEO at Tessian:
“Contrary to the popular belief that cybersecurity and data breaches are all due to malicious attackers trying to break into an organisation and steal data, inadvertent human error is likely to be the biggest reason why a company loses data. As humans, we naturally fixate on the scary things which are unlikely to harm us (e.g. sharks in the sea), but don’t think twice before we get into a car and drive to work (statistically one of the most likely things to cause us harm) — this also applies to information security where companies routinely underestimate the risks from processes that seem safe (emailing) but can be catastrophic when humans make mistakes. Misaddressed emails are consistently one of the main forms of data security incident reported to the ICO highlighting the importance of cybersecurity and data protection policy to not only focus on preventing the headline grabbing hacks but also save your employees from themselves.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.