Nearly one-third of security decision makers in the UK claim they have been reported to the Information Commissioner’s Office (ICO) over a data breach by an individual outside their organization.
Analysis from Manchester-based encryption firm, Apricorn, recorded a steep increase in the number of organizations reported to the ICO so far during 2023, with 32% reported by someone outside their firm.
The increase marks a significant rise compared to previous years. In 2022, just 4% of breaches were reported to the watchdog by outsiders while in 2021 this stood at 10%.
This, the firm said, suggests a growing public appetite to hold businesses to account over potential data security risks.
“This could be a sign of increased awareness as people become more au fait with the signs of a data breach and the importance of reporting them, but it could also indicate a lack of internal awareness or due process,” the company said.
Jon Fielding, managing director for EMEA at Apricorn said the trend raises additional questions over internal reporting practices in the event of a data breach or potential risks to consumers.
“Not all breaches are reportable, but likely recordable. The fact these breaches have been reported from outside the organization may indicate that internal teams are not as aware as they should be of transgressions,” he said.
Research earlier this year found that nearly half of cyber security practitioners have been told to keep data breaches “under wraps” by senior management.
The study from Bitdefender revealed that 42% had been told to keep a data breach confidential when they knew it should have been reported
RELATED RESOURCE
Discover how you can prepare and protect your organization from a cyber attack.
DOWNLOAD NOW
US-based security practitioners were found to be the most likely to have kept a breach hidden, with 71% failing to inform senior management or customers. UK and European-based respondents were typically more likely to report data breaches and security incidents, however.
The repercussions for failing to disclose a data breach can be costly for organizations and individuals on both sides of the Atlantic. EU-based firms are required to notify authorities “without undue delays” and within 72 hours upon discovery of a breach.
Internal reporting still prioritized
Apricorn’s report said that despite an increase in external reporting, internal data breach disclosures are still prioritized by security leaders.
Nearly half (40%) of respondents said breaches or potential breaches were reported to the ICO by someone within their organization.
The study suggested this highlights a continued awareness on the importance of data breach disclosures and “speedy remediation” when complying with regulations such as GDPR.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
