Imperva has announced an analysis of data breaches around the world and in the UK. The analysis shows that despite increasingly stringent regulations and fines, a lack of genuine data security is still putting tens of millions of individuals’ data at risk, and costing organisations billions.

The analysis of 99,490 data breaches reported to the Information Commissioner’s Office (ICO) between April 2019 and December 2022, and of 33 breaches deemed ‘most notable’ by cyber security professionals responding to the Chartered Institute of Information Security (CIISec), found that:

• 32% of all breaches reported to the ICO could have been avoided by having better data management and security.
• The ‘most notable’ breaches cost organisations more than 13.5 billion, of which global regulatory fines made up less than 6% – approximately the same amount as legal settlements.

Terry Ray, SVP, Data Security GTM and Field CTO, Imperva, says, “It’s undeniable that regulators are taking a stronger line on data breaches. ICO penalties have increased almost tenfold since GDPR fines came into effect. However, there is still a risk organisations are prioritising measures that demonstrate compliance on paper over those that provide genuine data security."

“In many cases, initiatives that meet the letter of compliance will not in fact prevent organisations from suffering the financial impact of a data breach, such as from customer churn and reputational damage, which can dwarf any potential fines. To put this in perspective, at present it would take the ICO 28 years to fine organisations the equivalent of just one of the ‘most notable’ data breaches.”

Imperva’s investigation found that malicious incidents such as malware, phishing and ransomware accounted for only a third (33%) of breaches reported to the ICO.

For comparison, the same number could have been avoided by preventing incidents such as unauthorised access to data (10% of all breaches) or data being emailed to the wrong person (12%).

Similarly, breaches caused by threats from outside the organisation (35% of reported breaches) are less common than those caused by insider threats (40%).

Other findings from the ICO data include:

• Identifying threats is a challenge: 40% of all data breaches took longer than 72 hours to report, and 18% took longer than a week. This is a key issue as the longer a breach goes undetected the more time attackers have to cause damage, and the more likely regulators and others are to impose harsh sanctions, the researchers state.
• 37% of all breaches could likely be attributed to human error: This includes failing to redact data or use bcc’s correctly, alteration of data, or sharing data with the wrong person. Sharing data with the wrong person (e.g., over email, by post or verbally), was by far the most common cause of a data breach, accounting for 23%. 11% of breaches were caused by lost or stolen data, for instance through theft of devices containing data, or leaving paperwork in an unsecure location.

Ray says, “The truth is the vast majority of organisations are not set up to execute a successful data security strategy. Too many are just carrying out tick box exercises while data breaches rise by around 34% annually."

"Often, it’s because businesses simply don’t know if the data security investments they’re making are having any impact. Without clear metrics that can indicate whether organisations are moving in the right direction, and that they’re more secure today than they were yesterday, we’re going to continue seeing the number and cost of breaches rise.”