The Danish Data Protection Authority has put together statistics on security breaches as part of their data and risk-based strategy. These statistics are updated monthly, to help businesses make good risk-based decisions. For evaluating your own security risks, I recommend using our risk analysis template. In this blog post I will go over what the statistics are saying right now.
Types of GDPR and security breaches reported
The Data Protection Authority put together a report based on the reports of GDPR breaches it receives. In the statistics, the Data Protection Authority has presented the types of security breaches that are most often reported to them. The five most common types of security breaches are:
Correct information going to the wrong recipient = 46%
Other = 14%
Disclosure = 12%
Incorrect information going to the correct recipient = 9%
Lost mail = 9%
At first glance, none of these categories appear to have anything to do with cyber-crime/hacking, but rather seem to just be normal everyday accidents. Actually, only 2% of the reports are classified as hacking.
This shows the importance of training employees and creating awareness so that they can avoid making these mistakes in their work.
Security breach reports are categorised
Before diving further into the five most common GDPR breaches, let’s take a step back and consider what the statistic is actually made up of. When the Data Protection Authority receives a report of a security breach, they categorise the report based on what took place in the incident. The report can be put into one or many categories based on the incident, and there is also an “other” category for incidents that don’t fit into the standard categories. The categorisation looks like this:
Do you want to see what else is reported? check out the Data Protection Authority here.
The Data Protection Authority has placed 19,087 breaches into the categories above.
How the different categories are defined is not explained. This means that it is up to oneself to decipher what the categories contain and when they are overlapping. A phishing email can, for instance, be classified as a hacking, social engineering, and ransomware incident, depending on the situation that took place.
The biggest issue is correct information going to the wrong recipient
Going back to the most common types of security breaches, the most frequent type is “Correct information/wrong recipient”.
46% of all reports are based on the correct information having been sent to the wrong person. It seems like a small problem, but a whopping 8,863 out of the 19,087 reports fit in this category. It shows how easy it is to accidentally share information with the wrong person when you have your hands full with everyday tasks. Maybe you added the wrong recipient to an email or gave a user too many user rights in a system. One small wrong click can cause an entire security breach.
Because of breaches like these, it is important to teach your employees to check through everything an extra time before hitting “send”, or before granting a person access to data. As easy as it seems to avoid such a mistake, it is just as easy to make that mistake.
Awareness of these simple pitfalls is important to avoid them. Technical solutions can solve many problems, but they can’t prevent a person from sending information to the wrong person.
The most common GDPR breaches are NOT caused by hacking
As mentioned, the five most common breaches are:
- Correct information going to the wrong recipient = 46%
- Other = 14%
- Disclosure = 12%
- Incorrect information going to the correct recipient = 9%
- Lost mail = 9%
These types of breaches do not involve hacking or complicated attacks. Rather, they are caused by normal everyday situations gone wrong, through a tiny mistake.
It is a bit unclear what a category such as “Disclosure” consists of, except for personal data being shared. We can’t rule out that a hacker might have gained access to the data and published them somewhere, which led the breach to be categorised under “Disclosure” in the statistics. But only 2% of the reports are classified as hacking, so only a small number of the reports in the “Publishing” category are related to hacking. Because of this, we must assume that the majority of these incidents happen through employees. It could be possible that an employee accidentally put personal data on a website, where everyone can access it. There are countless ways to accidentally publish data that should not have been made public.
Most security breaches happen due to human error
Lost carrier mail takes up a whole 9% of all GDPR breaches. It illustrates very well the fact that we are all human and that mistakes can always happen. Carrier mail can disappear in many places during the process due to actions by the sender, the delivery service, or the recipient. Common among all three is that mistakes will often be due to human error. It shows how breaches often depend on behaviour.
“Wrongful information to the correct recipient” in many ways resembles the “Correct information to the wrong recipient” category. The seemingly most obvious reason for this type of incident is to have accidentally attached a file to an email and thereby granted people access to data they were not meant to receive. So, we are again looking at a category that might mainly consist of human errors rather than hacking and technical mishaps.
Combined, the five most common reasons for security breaches make up a whole 90% of all the security breaches reported. Looking at this from a risk assessment point of view, it would make sense to look into how these GDPR breaches can be avoided. For good reasons, it is not possible to decipher what the “Other” category consists of. When it comes to the other categories, our assessment is that it is possible to significantly lower the risk of security breaches, if you teach your employees about the GDPR and make them aware of how easy it is to make and avoid these types of mistakes. You can also read our comprehensive guide on how to stay compliant with the GDPR.
These numbers highly support what we have written in our e-book (which, by the way, is free). In our e-book, we focus on how the biggest risk for security breaches lies with your employees. Training your employees is therefore a crucial cornerstone in creating a good cyber security culture in your workplace.
IT criminals only make up a small part, but the consequences are greater
The categories that are obviously about hackers/IT criminals are:
But these four categories only make up 4.5% of the reported security breaches. That corresponds to 765 (out of 19,087 total breach reports) that fit into a minimum of one of these categories. The probability of experiencing one of these attacks is therefore not that great.
That does not mean that these types of attacks are not relevant to defend yourself against, as the consequences in these types of situations often will be great. Last year, we saw several companies lose millions due to ransomware cases, which also landed them some hefty fines due to breaking the rules of the GDPR. So even though these types of breaches do not happen that often, the consequences are great enough that you have to take them seriously. In our blog post about the cost of a data breach, you can read more about how expensive security breaches can be.
Use a risk assessment to protect yourself from potential breaches
The essence of a risk-based approach, which is recommended by officials, is that you conduct a risk assessment. This assessment will contain information about how great of a risk there is for a situation to arise, and how big the consequence for a given situation could be. Based on this you can assess where you want to use your resources. It is about avoiding spending energy on a type of incident, where the consequences are low or the probability of it happening is almost non-existent.
If ransomware was not a threat last year, it could be that the consequences are great, but the probability is so small that you will not have to focus on it. That is unfortunately not the case, as ransomware is a real risk. But the risk is still really low, as only 93 out of 19,087 security breaches are categorised as ransomware. Based on this statistic, it would not make sense to focus all of your IT security efforts on ransomware.
Assess your own biggest security risks with the help of our risk-assessment guide and template.
IT security requires focus on behaviour and people
As mentioned earlier on, the statistics show that the majority of security breaches happen when we make mistakes in our everyday work. For example, we might accidentally send personal data to the wrong people. Heightening your focus on awareness training can therefore be a good idea, in order to boost your IT security and reduce the risk of security breaches. If you can train your employees to think twice before they click on something, then you have already gotten far.
Where technical solutions such as firewalls and anti-virus programs can help, there is also a need for aware employees when it comes to threats such as hacking, social engineering and ransomware. The Danish Data Protection Authority mentions that the majority of hacking incidents start with a simple phishing email. Therefore, awareness training and phishing training can be good tools to ensure that it will not be one of your employees who makes a mistake.
The statistics will continuously be updated, so we recommend that you stay up to date on the latest trends in types of security breaches.