94% of breaches due to poor information security
Despite the fact that compliance with the Data Protection Act (DPA) is mandatory for all British organisations, a total of 66 enforcement notices for DPA infringements were issued by the Information Commissioner’s Office (ICO) between January 2013 and October 2014, resulting in £2,170,000 in monetary penalties. Poor information security was the biggest single reason for these sanctions.
This is a key finding of a comprehensive analysis of Data Protection Act contraventions over the past 22 months conducted by IT Governance
, the global leader in IT governance, risk management and compliance expertise.
The research reveals that enforcement notices were issued by the ICO for both massive and extensively damaging cyber security breaches, as well as simpler but no less significant contraventions – such as faxes that were sent to the wrong recipients.
Monetary penalties were more severely enforced for online breaches and cyber attacks, costing companies an average of £52,308 per incident. By contrast, losing a device or file cost companies £35,000 on average.
Alan Calder, founder and executive chairman of IT Governance, says: “With cyber criminals becoming increasingly sophisticated, it is more difficult than ever to ensure that all possible access points into an organisations’ systems are protected and to effectively reduce cyber risks. A holistic approach to information security is crucial – to be successful, organisations must adopt a best-practice approach to enterprise-wide information security management that encompasses people and processes, as well as technological solutions.”
An additional area of concern is that a staggering 94% of all notices issued in the last 18 months were attributed to noncompliance with the seventh principle of the DPA. This requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
This finding highlights the lack of due diligence in data protection and poor information security. The financial implications are also considerable, with the estimated average cost per data breach incident over the last 22 months amounting to of £35,574.
Calder says: “Information security management is a key element of privacy regulations, including the Data Protection Act. Organisations should be turning to ISO27001, the international information security standard, as a means to address both the strategic and operational aspects of information security, and to conform to the principles mandated by the DPA (e.g. Principle 7) and other regulations.
“With the proposed EU Data Protection Regulation expected to come into force next year, and the continued proliferation of data breaches, companies cannot afford to be complacent about data protection and information security.”
IT Governance has recently revolutionised the way organisations can get expert information security help by introducing ISO27001 packaged solutions that are delivered online and can be accessed globally. Each of the four solutions, ‘Do It Yourself
’, ‘Get A Little Help
’, ‘Get A Lot of Help
’ and ‘We’ll Do It for You
’, is available at a transparent price that enables any organisation, anywhere in the world, to know exactly what their chosen journey to ISO27001 certification will cost them.
‘Data Protection Compliance - Research Report 2014’ was conducted as secondary research by identifying and analysing all data breach notifications and monetary penalties issued by the ICO between January 2013 and October 2014.
A copy of the full ‘Data Protection Compliance - Research Report 2014’ report is available here: www.itgovernance.co.uk/data-protection-compliance-report.aspx