Breaches reported to ICO almost double

The number of security breaches reported to the Information Commissioner's Office (ICO) almost doubled in 2015/16, an Freedom of Information (FoI) request has found.

Some 2,048 incidents were reported to the UK's data protection watchdog – which has the power to fine organisations up to £500,000 for serious breaches – between April 2015 and March 2016, according to the FoI request, from Huntsman Security.

That's up from 1,089 in a similar period in the previous year.

Health, local government and education were responsible for 64 per cent of the total, the research found.

Although organisations in the financial sector accounted for less than six per cent of reported incidents, they attracted a third of all financial penalties pursued by the ICO, which Huntsman Security suggested hints at the severe nature of breaches suffered in the sector.

Utilities companies reported just two security breaches to the ICO during the period.

Despite the hike in reported breaches, the ICO took action in only 504 cases, less than a quarter of the total.

"Unfortunately, this is not the full story. The average organisation is subject to multiple breaches, of which only some will be detected, so the figures reported to the ICO are likely to be understated," said Huntsman Security CEO Peter Woollacott.

'Dramatic understatement'

Ian Kilpatrick, chairman of security VAD Wick Hill (pictured), agreed that the number seems "light", pointing out that only a small proportion of organisations are required to self-report breaches to the ICO.

"There will be a bunch of people not under any requirement to report, so that figure will be a massive understatement of a much larger problem," he said.

The imminent arrival of the European General Data Protection Regulations (GDPR) – which will see firms fined up to four per cent of global turnover for serious incidents – has made protecting against data breaches the top driver in IT security alongside ransomware, according to Vincent Booth, director of security VAR Solved IT.

Booth expressed particular unease about whether the rush to cloud computing is leaving some of his customers exposed, citing the breach at cloud-based file-sharing vendor Dropbox that came to light this week as a concern.

"There's so much effort moving things into the cloud and I wonder how much security there is," he said. "You are putting a lot of faith in someone else, as you are not in charge."

Kilpatrick warned that many firms will wait to see how much "teeth" GDPR has following its slated introduction in 2018, before bolstering their defences.

"If there aren't that many people who are found, and even fewer who are punished, people will keep their heads down," he said. "Until it's seen as having teeth, GDPR will only affect those people sitting at the higher end of the awareness spectrum."

The recent breach at single sign-on vendor OneLogin demonstrates the need for VARs to emphasise education over technology, Mike Simmonds, managing director of networking and security VAR Axial Systems argued.

Simmonds said he was surprised that the number of reported breaches wasn't higher.

"Technology is important, but the majority of the breaches are due to education, and we are still on an evangelising mission around the training aspect," he said.

"From our point of view, the majority of the decent conversations we are having revolve around education, and then, secondly, the technology which bolsters that education, so you're not leaving yourself open."