IT leaders find almost a third of breaches reported to ICO by outsiders


Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives has today announced further findings from its annual research into cyber breaches, encryption and data security. Thirty-two per cent of surveyed UK security decision makers have revealed that their organisation has been reported by someone else to the ICO for a data breach/potential breach since GDPR came into effect.

The number of organisations being reported from outside the organisation had seen a decline from 10% in 2021, down to 4% in 2022, but has seen a huge increase this year to 32%.  This could be a sign of increased awareness as people become more au fait with the signs of a data breach and the importance of reporting them, but it could also indicate a lack of internal awareness or due process.

“Not all breaches are reportable, but likely recordable. The fact these breaches have been reported from outside the organisation may indicate that internal teams are not as aware as they should be of transgressions. But equally, if those doing the reporting simply work externally, this could reveal some confusion over how the breach should be reported and indicates the opposite – that staff are becoming more vigilant,” said Jon Fielding, Managing Director, EMEA Apricorn.

That said, 40% of breaches/potential breaches were reported to the ICO by someone within the organisation, again highlighting increased awareness around the importance of disclosure and speedy remediation when complying with regulations such as GDPR and in order to avoid the punitive fines that can come from non-compliance.

The number that said they had not experienced a breach or potential breach has halved from 14% in 2022 to 7% in 2023, which demonstrates some level of learning as businesses have begun to put measures in place to avoid the risk of a data breach.

However, the same survey also found that almost 50% (48%) of surveyed IT decision makers that mobile/remote workers knowingly put corporate data at risk of a breach in 2023 and 51% of organisations expect them to expose their business to the risk of a breach. In addition, the survey found that 24% believe mobile/remote working makes it harder to comply with GDPR which could also explain the increase in breaches being reported as more employees work on a remote basis.

Whilst almost a quarter (24%) of breaches resulted from ransomware attacks, insider threats appear to be the biggest threat with 40% citing these (22% unintentional and 20% intentional) as the main cause of a data breach within their organisation. Other user related threats ranking highly were; phishing emails (21%) and lost/stolen devices containing sensitive corporate information (18%).

“It seems the education is lacking when it comes to protecting against a breach, but employees are well practiced in how to report them. Businesses need to think carefully about the former and being prepared for the when, and not the if. But the fact that almost double the number of breaches were caused by insiders as opposed to phishing attacks is startling given that phishing is widely regarded as the number one threat by many. What this tells us is that businesses should be looking to reinforce a culture of security and ensure data is protected at all times and at all costs!” – Fielding added.