UK businesses fork out millions in fines due to poor data security

Analysis conducted by IT Governance of Data Protection Act contraventions over the past 22 months has revealed that companies are still failing to implement effective security measures to protect sensitive and personal data from being disclosed to third parties or intercepted by criminals.

The analysis, conducted from January 2013 to October 2014, shows that 94% of all DPA-related notices issued by the ICO were due to non-compliance with Principle 7 of the Data Protection Act. A total of £2,170,000 in fines was issued over this period.

What comes as no surprise is that the vast majority of breaches were due to employee errors in the handling and disclosure of data. 32% of all incidents were due to personal or sensitive data being inappropriately disclosed or sent to the wrong recipient. Repeated errors – such as sending information to the wrong recipients due to incorrect fax numbers or email addresses – were common.  Another major cause of human error was the misplacement of files, documents or mobile devices, accounting for an average cost of £35,000 per incident.

There were six serious cyber attacks that accounted for a whopping £600,000 in penalties issued, bringing the average cost of a cyber attack or hack to £100,000. Data disposal strategies also came under fire. Although the inappropriate disposal of assets accounted for only five incidents, the total value of monetary penalties was the most expensive: an average of £117,000 per incident.

With the estimated average cost per data breach incident of £35,574, the financial implications of poor data security cannot be taken lightly.

Most of the reasons for data breaches can be traced back to simple but essential information security measures. Data encryption, staff training and awareness, effective policies and procedures, penetration testing and data disposal management are all elements of a well-planned and maintained information security management system (ISMS).

With the new EU General Data Protection Regulation on the horizon, UK businesses would be wise to step up their policies and procedures or face considerably larger fines than those issued by the ICO.  Organisations contravening the new proposed regulation may face fines of 2–5% of global turnover.

ISO27001 offers a comprehensive solution to managing information security, helping companies to take a three-pronged approach to the protection of their data: people, processes and technology. As an auditable standard, ISO27001 allows certified companies to be verified by external auditors as proof that they have implemented the gold standard in information security.

A full copy of ‘Data Protection Compliance – Research Report 2014’ is available here:

IT Governance’s ISO27001 ‘Get a Lot of Help’ package is a fixed-price online consultancy service  to help you get started with ISO27001 at a much lower cost than having to resort to on-site consultants. Combining live, online expert guidance with key implementation tools, this package significantly reduces the time and effort required to implement a robust information security management system.

Contact IT Governance today for further information on how to get started or to discuss flexible payment options, on +44-845-070-1750 or email