In recent years, the severity of data breaches has become increasingly apparent, with significant consequences for organizations. An analysis of nearly 100,000 data breaches reported to the UK Information Commissioner’s Office (ICO) from April 2019 to December 2022 has revealed a disturbing trend. Not only do breaches often go unreported for extended periods, but the financial impact of these incidents surpasses the fines imposed under the General Data Protection Regulation (GDPR).
One concerning finding from the analysis is the significant gap between the occurrence of a breach and its subsequent reporting. Even with stricter measures implemented by the ICO, it was discovered that in 18% of cases, more than a week passed before the breaches were notified. This highlights the challenges in promptly identifying threats and emphasizes the need for more efficient breach reporting systems.
Surprisingly, the research indicates that the most significant breaches cost organizations an astonishing £13.5 billion. Shockingly, regulatory fines imposed globally only accounted for 6% of this amount. It is important to note that these notable breaches refer to actual data breaches, excluding instances where organizations deliberately misused data or when white-hat hackers reported incidents without causing harm.
Contrary to popular belief, cyber attacks were not the primary cause of breaches. Only a third (33%) of reported breaches were attributed to malware or phishing attacks, while external threats accounted for 35% of breaches. However, the most significant concern lies in insider threats, which constituted 40% of the reported breaches. This highlights the need for organizations to address internal vulnerabilities and implement robust data security measures.
Human error was found to be a major contributing factor, responsible for 23% of breaches. This includes instances where data was mistakenly shared with the wrong recipients or when it was lost or stolen, such as through stolen devices or misplaced paperwork.
Terry Ray, Senior Vice President of data security GTM and field CTO at Imperva, acknowledged the ICO’s stricter approach to breaches. However, he expressed concern that many organizations prioritize compliance measures on paper rather than genuinely focusing on data security. Ray emphasized that mere compliance does not guarantee protection against the financial impact of a breach, which can include customer churn and reputational damage, often far greater than any fines imposed.
Data breaches continue to rise, increasing by over a third (34%) annually, as highlighted by Ray. A key issue pointed out is the lack of clear metrics to measure the effectiveness of data security investments made by businesses. Hence, reliable benchmarks are essential to ensure that organizations’ investments in data security effectively counter evolving threats.
Since the implementation of GDPR, the ICO has issued fines averaging £14.7 million per year, a significant increase from the previous £1.5 million in fines within 12 months. However, these figures are dwarfed by the average cost of the 33 most notable breaches, amounting to approximately £410 million. At this rate, it would take the ICO 28 years to fine organizations an amount equivalent to just one of these notable breaches, as Terry Ray emphasized.