Three mistakes that could result in a data breach for your business

Data breaches can be costly for your business, both monetary and reputational, and they aren’t always preventable. However, you can minimise the risk of data breaches and reduce any potential impact.

Here are some of the top preventable mistakes that businesses make:

Mistake 1: Using outdated tech and software

Cyber threats are probably the most well-known types of data breaches. Types of cyber threats include ransomware and phishing and involve hackers stealing personal data.

According to the Information Commissioner's Office (ICO), the UK's data protection regulatory body, most ransomware incidents are usually the result of "poor cyber hygiene rather than sophisticated attack techniques”.

In one of the largest data breaches in history (1), credit bureau company Equifax Ltd. was fined just over £11m in 2023 after a cyber attack in 2017. Hackers accessed the personal data of around 13.8m UK-based individuals (as well as 116m in the US and 19,000 in Canada).

The attack, which the Financial Conduct Authority described as “foreseeable and entirely preventable”, began with hackers utilising an unpatched software loophole in Equifax’s parent company (Equifax Inc) based in the US.

You must ensure that your organisation regularly implements the latest software updates, as these generally contain updated patches to known security loopholes.

It’s also important that the tech itself is current; old tech won’t support the latest updates, which could leave you more vulnerable to data breaches.

Mistake 2: Overlooking the potential for human error

Although hackers can also exploit human vulnerabilities to steal data, breaches often happen by mistake.

Most data breaches reported to the ICO are a result of human error; between 2019-2024, approximately 70% of reported data breaches were ‘non-cyber’.

The most common type of ‘non-cyber’ data breach is failing to use BCC in emails. Other types include emailing/posting data to the wrong person and failing to redact sensitive information in communications.

In April of this year, The Central YMCA was reprimanded and fined £7,500 by the ICO for failing to use BCC in an email (2). The company disclosed the email addresses of 166 people by using CC in an email that discussed a sensitive medical condition.

The ICO found that all 166 people could be at least partially identified by their email addresses, and therefore inferred that all 166 identifiable recipients were likely living with the condition.

To prevent mistakes like this, your organisation should provide basic cyber security and data protection training to all employees, regardless of role, to mitigate mistakes.

In addition, you should offer specialised training to staff members who have significant roles involving people’s data.

Mistake 3: Being complacent with procedures 

If your organisation’s data protection policies and procedures aren’t up to scratch, you could be more open to a potential data breach, whether from outside hackers or internal human error.

The ICO states that “poor information security leaves your systems and services at risk and may cause real harm and distress to individuals”.

In May, the ICO announced its intention to fine the Police Service of Northern Ireland (PSNI) £750,000 for its failure to protect the information of its 9,483 workforce (3).

The incident revolved around personal information mistakenly included in a 'hidden' spreadsheet tab published online.

Of the breach, John Edwards, UK Information Commissioner, said: “Simple and practical-to-implement policies and procedures would have ensured this potentially life-threatening incident did not happen in the first place.”

To minimise the risk of data breaches, organisations should have robust and appropriate safety procedures in place, such as data encrypting, adequate password protections and restricting access to files for only those essential.

Your organisation should also have a clear data protection policy so your staff know what to do and why. This could cover topics such as data management (including disposal) and the steps to take should you suffer a data breach.

Don’t leave yourself vulnerable

These three points are not mutually exclusive. For example, a data breach could happen due to a combination of outdated software, human error, and a lack of procedures. What remains the same is your organisation’s responsibility to ensure the safety of the personal data it holds as part of its compliance with data protection legislation.

There is no prescriptive way to ensure data protection law compliance as every organisation is different. That’s where specialist legal advice can help.

Speak to one of our data protection team for more information on how we can support you.

References:

1) Financial Conduct Authority

2) ICO

3) ICO