IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Data Protection
#
Cybersecurity
#
Data classification

UK firms report more breaches amid remote work, policy gaps

Yesterday
Author image
By Sean Mitchell, Publisher

Research from Apricorn shows a significant rise in UK organisations self-reporting data breaches or potential breaches to the Information Commissioner's Office (ICO) during the past year.

According to Apricorn's annual survey of IT security decision makers, 69 per cent of respondents said their organisations had disclosed a breach or risk of a breach to the ICO over the past year, rising from 53 per cent in 2024. The survey included responses from 200 IT security decision makers across the UK.

Reporting trends

The number of companies reported to the ICO by a third party saw a drop to eight per cent from 14 per cent last year, indicating businesses may be developing stronger internal reporting mechanisms and assuming increased accountability. This development has been interpreted as a shift towards organisations taking more responsibility for their breach response strategies, with a move away from reactive disclosures initiated by outside parties.

Despite improvements in reporting, the data points to ongoing risk, particularly regarding remote and mobile workforces. Apricorn's findings reveal that 46 per cent of businesses confess their remote or mobile workers knowingly put company data at risk in the previous year. Looking ahead, 61 per cent of survey participants believe their mobile workforces remain likely to expose the organisation to a future breach.

Phishing was identified as the most common cause of data breaches, referenced by 37 per cent of IT professionals questioned. Employee mistakes followed closely, cited by 33 per cent. These results underscore persistent concerns that mistakes, negligence or malicious behaviour by staff continue to be the leading driver of breaches, ahead of external threats.

Policy versus practice

Nearly all surveyed organisations – 99 per cent – report having a mobile or remote working security policy, and 95 per cent believe their employees understand and adhere to these rules. However, confidence wanes given that 58 per cent of organisations indicated employees lack the technology or skills required to properly secure data, even if they are willing to comply. This suggests a disconnect between policy and practical capability at the employee level.

"Too many organisations are relying on assumptions that policies are followed, that devices are secure, that staff know what to do, but if organisations want to reduce breach risk, they must give staff the right tools to do the right thing."

This comment from Jon Fielding, Managing Director, EMEA, Apricorn, reflects concern that policies alone are insufficient protection in today's hybrid working environment.

Technology and operational challenges

Further technical and organisational barriers emerged in the study. Nearly 37 per cent of surveyed businesses stated they cannot be certain their data is adequately secured or have lost visibility over where their corporate data resides. In addition, 16 per cent reported that their current technology does not support secure mobile or remote working. Eleven per cent admitted they do not know which internal datasets require encryption, indicating gaps in data classification and risk assessment.

The complexity associated with managing remote technology has increased. In this year's survey, 47 per cent of organisations said managing technology for employees working remotely or on the move has grown too complex. Another 35 per cent said remote working makes it more difficult to comply with GDPR, potentially due to increasing regulatory demands around data localisation and cyber sovereignty.

Devices and controls

The survey shows a growing reliance on employee-owned equipment, with 56 per cent of organisations now permitting staff to use personal devices to access business systems and data – a nine per cent increase over the previous year. This is the highest proportion recorded by Apricorn since 2019. While most companies use software controls to manage access, these approaches lack the oversight and enforcement associated with business-issued devices. Only 19 per cent of those surveyed require staff to use company-provided equipment with endpoint controls, reflecting a slight increase from 15 per cent in 2024.

Fielding concluded by outlining necessary next steps:

"Self-reporting breaches is a positive step, but if organisations want to reduce how often they're doing it, they must bridge the gap between written policy and operational readiness. This includes clear provisioning of secure tools like hardware-encrypted drives, restricting data movement to known systems, and prioritising the secure handling of data at every endpoint."

The results come from research conducted by Censuswide with 200 IT security decision makers. The study highlights continuing challenges for organisations as they adapt to ongoing changes in working practices, technology, and regulatory environments.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Azul boosts Java security with improved runtime vulnerability detection
Opus 2 leads AI litigation management in major law firms survey
Phishing-as-a-Service drives surge in cybercrime for 2025
Fivetran awarded Databricks 2025 data integration partner of year
Payment Assist unveils new lending division for UK auto sector
Top stories
CyrusOne invests GBP £1.2 billion in sustainable data centre
PPDS & Shure form global alliance to offer unified AV solutions
Paynt acquires E-xact to boost North American payment growth
Aiden Technologies now available in Azure Marketplace via MACC
Cloudera urges telcos to invest in AI or risk falling behind