The Danish Data Protection Authority has put together statistics on security breaches as part of a new strategy on a data and risk-based effort. These statistics will be updated monthly, to help businesses make good risk-based decisions. In this blogpost I will go over what the statistics are saying right now.
In the statistics, the Data Protection Authority has presented what type of security breaches are most often reported to them. The five most common types of security breaches are:
At first glance, none of these categories appear to have anything to do with cyber-crime/hacking, but rather to just be normal everyday accidents. It is actually only 2% of the reports that are classified as hacking.
This shows the importance of training employees and creating awareness so that they can avoid making these mistakes in their work.
Before diving further into the five types, take a step back and consider what the statistic is actually made up of. When the Data Protection Authority receives a report on a security breach, they categorise the reports based on what took place in the incident. The categorisation look like this:
Watch diagram below
In the categories seen above, 4,856 breaches have been registered in the categories.
How the different categories are defined, is not explained. This means that it is up to oneself to decipher what the categories contain and when they are overlapping. A phishing e-mail can for instance be classified as both hacking, social engineering and ransomware, depending on the situation that took place.
Going back to the most common types of breaches, the most frequent type is that of “Correct information/wrong recipient”.
50% of all reports are based on the correct information having been sent to the wrong person. It seems like a small problem, but a whopping 2,437 out of the 4,856 reports fits in this category. It shows how easy it is to accidentally share information with the wrong person, when you have your hands full with everyday tasks. Maybe you added the wrong recipient to an e-mail or gave a user too many user-rights in a system. One small wrong click can cause such a security breach.
Because of breaches like these, it is important to teach your employees to check through everything an extra time before hitting “send”, or before granting a person access to data. As easy as it seems to avoid such a mistake, as easy it is to make that mistake.
Awareness on these simple pitfalls is important to avoid them. Technical solutions can solve many problems but does not help to refrain a person from sending information to the wrong person.
As mentioned, the five most common breaches are:
Correct information going to the wrong recipient = 50.2%
Publication = 13.6%
Other = 10.4%
Lost carrier mail = 7.1%
Wrongful information to the right recipient = 7%
These categories do not smell like hacking and complicated attacks. It is rather normal everyday situations gone wrong, through a tiny mistake.
It is a bit unclear what a category such as “Publication” consists of, except for personal data being shared. You cannot rule out that a hacker might have gained access to the data and published them somewhere. This is therefore in the “Publishing” category in the statistics. But only 2% of the reports are classified as hacking, so it is only a small number of the reports in the “Publishing” category that consists of hacking. Because of this we must assume that the majority of the incidents happen through employees. It could be possible that they accidentally put personal data our on a website, where everyone can access these. There are countless of ways to accidentally publish data that should not have been public.
Lost carrier mail takes up a whole 7.1% of all breaches. It illustrates very well the fact that we are all human and that mistakes can always happen. Carrier mail can disappear many places in a process – both on the sender’s end, at the service responsible for delivering it and at the recipients. Common for all three is that it often will be due to human error. It shows how breaches often depend on behaviour.
‘Wrongful information to the correct recipient’ in many ways resemble the ‘Correct information to the wrong recipient’ category. The seemingly most obvious reason for this type of incident is to have accidentally attached a file to an e-mail and thereby granting people access to data they were not meant receive. So, we are again looking at a category that might mainly consist of human errors rather than hacking and technical mishaps.
Combined the five most common reasons for report make up a whole 88.3% of all of the reports. Looking at this from a risk-assessment point-of-view it would make sense to look into how these can be avoided. For good reasons, it is not possibly to decipher what the ‘Other’ category consists of. When it comes to the other categories, our assessment is that it is possible to significantly lower the risk of security breaches, if you teach you employees about GDPR and make them aware of how easy it is to make and avoid these types of mistakes.
These numbers highly support what we have written in our e-book (which, by the way is free). In our e-book we focus on how the biggest risk for security breaches lies with the employees. Training your employees is therefore a crucial cornerstone in creating a good cyber security culture in the workplace.
The categories that are obviously about hackers/IT criminals are:
But these four categories only take up 4.7% of the reported security incidents. That corresponds to about 227 of these reports fitting into minimum one of these categories. The probability of experiencing one of these attacks is therefore not that great.
That does not mean that these types of attacks are not relevant to defend yourself against, as the consequences in these types of situations often will be great. Last year we saw several companies lose millions due to ransomware cases. So even though these types of breaches do not happen that often, the consequences are great enough that you have to take them seriously.
The essence of a risk-based approach, as is recommended by officials, is that you conduct a risk assessment. This assessment will contain information on how great of a risk there is for a situation to arise, and how big the consequence for a give situation could be. Based on this you can assess where you want to use your resources. It is about avoiding spending energy on a type of incident, where the consequences are low or the probability of it happening almost non-existent. If ransomware had not happened last year, it could be that the consequences are great, but the probability is so small that you will not have to focus on it. That is unfortunately not the case as ransomware is a real risk. But the risk is still really low, as only 23 out of 2437 security incidents can be categorised as ransomware. Based on this it would not make sense to focus all of your IT security efforts on this.
As mentioned earlier on, the numbers from the statistics show that the majority of security breaches happen when we commit mistakes in our everyday work. We accidentally send personal data to the wrong people, and sometimes the right data to the wrong people. Heightening your focus on awareness training can therefore be a good idea, in order to boost your IT security and reduce the risk of security incidents. If you can train your employees to think twice before they click on something, then you have already gotten far.
The risk of being hit by malicious actors and thereby experience a security breach, like ransomware, is not as great. But the consequences of getting hit by these types of attacks are so great that you cannot just stick your head in the bush and say that it will not happen to you. Where technical solutions such as firewalls and anti-virus programs can be of help, there is also a need for aware employees, when it comes to threats such as hacking, social engineering and ransomware. The Danish Data Protection Authority mentions that the majority of hackings start with a simple phishing e-mail. Awareness and phishing training can therefore be a good tool to ensure that it will not be one of your employees who does a click.
The statistics will continuously be updated, why we recommend that you follow up on this.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.