Sending errors worse for breach than cyber

The UK ICO’s detailed report on the 2,629 personal data breaches reported to it in Q1 2020 shows a startling fact:

more breaches happened from mis-sending emails, faxes and mail than from ALL cyber-security incidents!

Helpfully, the UK ICO releases reports on personal data breaches reported each quarter.  The report for Q1 2020 (what the ICO calls Q4 2019-20) has some interesting revelations.

Cyber was 25%

All data may be digital, all breaches aren’t

All cyber security incidents (CSIs) together amounted to 24.8%, a quarter of all reported breaches.  Which means 75% were not CSIs, which can surprise some, as it can feel at times as if all data is in digital format, so all breaches must be about cyber security.

Sending error was 27%

Simple human mistake will happen

Sending emails, faxes and mail to the wrong recipient, or not using bcc, led to 26.6% of all breaches, more than all CSIs together.  More than a quarter of all breaches, and a third of non-CSI breaches, are just down to simple human error.

What does this mean for you?

First, it proves the saying: people, process and technology.  For us, that leads us to 4 truisms, for both Privacy and Security:

1. It can’t all be left to technology, much as we might like to have the burden lifted!

Technology is 33% of the answer overall, but it might be 0% or 100% depending on the context.  From solutions, like Keepabl, targeted at governance and management, to solutions such as a firewall or 2FA.  Each is as valid as the other and the Privacy Stack you use will include many various tools.

2. We each have to understand we have our own responsibilty

Each one of us has our own role to play in Privacy and Security compliance, much as Health & Safety law includes that, while employers need to do their part, each employee has their own responsibility for their own health and safety and that of others.  We need to get better at getting that across.

3. To know what’s expected of us, there needs to be a clear, adoptable process to follow

Everyone hates policies and procedures!  But that’s the old-school policy and procedure.  We need a new style of plain-language, more visual, more approachable information setting out the required behaviour.  There’s much to be learnt, and borrowed, from today’s consumerisation of technology, for the consumerisation of this information, not least in terms of design and user interfacing.

This is not easy!  GDPR says you need to provide a ton of information that’s highly technical and complex – but do keep it light and breezy and short…

4. Processes and technology need to reflect that we’re only human

It’s easy to target tech on external threats and to draft policies by copy-pasting laws and standards, bringing across jargon.  This misses the large target we’ve identified above – plain old human error, that just refuses to go away.

We clearly need to do more to block off as much of the opportunity for human error as appropriate to the risk levels – it is about risk management after all!