THE INFORMATION Commissioner’s Office (ICO) has reported a 20% drop in personal data breach reports from 11,854 in the 2019-2020 financial year down to 9,532 in the most recent financial year (FY 2020-2021).
These figures have been published in the ICO’s Annual Report and subsequently analysed by the Parliament Street Think Tank. The report cites the COVID-19 pandemic as the primary reason for this tailing off, while also mentioning that the introduction of mandatory breach reporting in sectors that handle large volumes of personal data has also contributed to the downward trend in personal data breaches reported to the ICO.
The industry reporting the highest instances of data breaches is healthcare which made up 16.8% of all personal data breaches reported to the ICO in FY 2020-2021. Education and childcare came second, reporting 1,160 personal data breach incidents over the last year, which is 13.6% of the total quantity.
Retail and manufacturing were next at 10.9%. Finance, insurance and credit was fourth with 10.5% and local Government fifth, having reported 8.8% of the total personal data breaches reported to the ICO.
Interestingly, 71.4% of all personal data breaches reported to the ICO led to no further action. However, more than one fifth (ie 21.6%) were investigated further. The specific outcomes of these investigated cases were not clarified.
The report does reveal, however, that 3.9% of personal data breaches led to ‘informal’ action being taken, with just 0.1% of cases leading to formal action being taken, which included administrative punishment or a lower tier fine.
Chris Ross, senior vice-president of international sales at Barracuda Networks, commented: “While the ICO has reported a surprising decline in personal data breach incidents this year, business owners and workers must not become complacent. Despite what the figures suggest, cyber attacks targeting remote workers and businesses have increased in intensity over the last 18 months. In particular, this is because more employees were working from home for the first time and so more sensitive data has been handled across e-mail, cloud storage and personal devices than ever before, in turn presenting something of a gold mine of opportunity for hackers.”
Ross added: “A general lack of security provisions and training throughout remote working also contributed to a number of bad and dangerous habits across some employees. Our recent research even revealed that malicious e-mails spend, on average, 83 hours in an employee’s Inbox before being detected or resolved. Perhaps most worryingly, nearly one-in-30 will click on a link in a malicious e-mail, potentially compromising important business data in doing so.”
In conclusion, Ross observed: “Businesses must ensure that all employees are provided with regular and tailored security training so that they can appreciate the seriousness of this threat and react accordingly.”