The Information Commissioner’s Office has reported a 19% dip in the number of reported security incidents during Q4 2019-20 compared to the same period last year.
The EU’s General Data Protection Regulation came into force on May 25, 2018 and since then, there has been a consistent reduction in the number of data security incidents reported to the Information Commissioner’s Office.
The total number of reported cyber-related and non-cyber related security incidents in the fourth quarter touched 2,629, compared to 3,263 incidents during the same period in 2019. Of these, cyber security incidents involving brute force attacks, misconfigurations, malware and ransomware attacks, phishing, and unauthorised access to personal data totaled just 653.
“These figures are based on the number of reports of personal data breaches received by the ICO during Q4 2019-20. These figures are based on the number of reports submitted by the data controller, not necessarily the number of incidents,” the Information Commissioner said.
“I don’t see the decline in reported incidents as being odd. At the beginning of GDPR, many regulators faced the issue of companies overreporting incidents,” said Brian Honan, President of BH Consulting to ISMG.
“This overreporting was primarily due to companies not understanding when they actually need to report a breach. Now that those companies are more familiar with the GDPR requirements, and thanks to breach guidance issued by supervisory authorities and ENISA [European Union Agency for Cybersecurity], companies better understand under what circumstances they should report a breach,” he added.
In the latest data security incident trends report, ICO revealed that UK organisations suffered 280 security incidents due to phishing attacks. While 43 such incidents were reported by organisations in education and childcare sectors, 38 were reported by finance, insurance, and credit organisations, 30 were reported by retailers and manufacturers, and 20 were reported by real estate firms.
Businesses across the UK also reported a total of 60 ransomware-related security incidents, out of which 21 were reported by firms in the retail and manufacturing sectors. Other sectors reported incidents in the single digits with education and child care organisations leading with 9.
The bulk of security incidents involved improper handling of personal data
The bulk of security incidents reported to the ICO were classified as “non-cyber” by the ICO and included alteration of personal data, data emailed to an incorrect recipient, data of wrong data subject shown in the client portal, denial of service, failure to redact, incorrect disposal of hardware, incorrect disposal of paperwork, loss.theft of personal data, and verbal disclosure of personal data.
These incidents occurred mostly due to human error and formed 1,976 out of 2,629 security incidents reported to the ICO between January and March this year.
Grant Geyer, Chief Product Officer of Claroty, told TEISS “Just as important as the principles the regulation stands for, the European Union’s global enforcement of blatant and willful violations of the rights of European citizens to have their personal data safeguarded has raised its prominence to the gold standard of data protection regulations worldwide.
In today’s global economy, GDPR has swiftly created a replicable regulatory blueprint that represents a win for citizens to maintain ownership over their personal data. That’s a sacred right in a digital economy where for many years personal data has been abused and monetised without awareness, consent, or recourse,” he added.