Recent research has shed light on the severity of data breaches and their impact on organizations. According to an analysis of nearly 100,000 data breaches reported to the UK Information Commissioner’s Office (ICO) from April 2019 to December 2022, a concerning trend has been observed. Not only do breaches often go unreported for a significant amount of time, but the costs associated with these incidents far exceed the fines imposed under the General Data Protection Regulation (GDPR).
One of the key findings from the analysis is the alarming gap between the occurrence of a breach and its subsequent reporting. Despite the ICO taking a stricter approach, it was discovered that for 18% of the breaches, more than a week passed before they were notified. This highlights the challenges in promptly identifying threats and underscores the need for more efficient breach reporting systems.
Interestingly, the research revealed that the most notable breaches cost organizations a staggering £13.5 billion. Shockingly, only 6% of this amount was accounted for by regulatory fines imposed globally. It is important to note that these notable breaches refer to actual data breaches, excluding instances where organizations deliberately misused data themselves or when white-hat hackers reported incidents without any resulting damage.
Contrary to popular belief, cyber attacks were not the primary cause of breaches. Malware or phishing attacks only accounted for a third (33%) of the reported breaches, whereas threats originating from outside the organization constituted 35% of the breaches. The most significant concern, however, lies with insider threats, which made up 40% of the reported breaches. This highlights the importance of addressing internal vulnerabilities and implementing robust data security measures within organizations.
Human error was revealed as a major contributing factor, responsible for 23% of the breaches. This includes instances where data was inadvertently shared with the wrong recipient or when it was lost or stolen, such as through stolen devices or misplaced paperwork.
Terry Ray, Senior Vice President of data security GTM and field CTO at Imperva, acknowledged the ICO’s tougher stance on breaches. However, he expressed concern that organizations were prioritizing compliance measures on paper rather than focusing on genuine data security. Ray emphasized that mere compliance does not guarantee protection against the financial impact of a breach, including customer churn and reputational damage, which can far outweigh any potential fines.
Data breaches are on the rise, increasing by over a third (34%) annually, as noted by Ray. A key issue highlighted is the lack of clear metrics to measure the effectiveness of data security investments made by businesses. It is essential for organizations to have reliable benchmarks to ensure that their investments in data security are indeed effective in countering evolving threats.
Since the implementation of GDPR rules, the ICO has issued fines averaging £14.7 million per year, a significant increase from the £1.5 million levied in the previous 12 months. However, these figures pale in comparison to the average cost of the 33 most notable breaches, which amounted to approximately £410 million. Terry Ray pointed out that at the current pace, it would take the ICO 28 years to fine organizations an amount equivalent to just one of these notable breaches.