Monday 20 May 2019

Tsunami of data breaches strikes Irish companies as half report incidents

Irish companies still suffer data breaches in huge numbers, according to industry figures - and much of it is being put down to 'negligent' employees

'Negligent employees' are responsible for a large amount of security breaches.
'Negligent employees' are responsible for a large amount of security breaches.
Adrian Weckler

Adrian Weckler

Over half of Irish companies have suffered at least one data breach in the last 12 months, new industry figures show.

A total of 55pc of Irish organisations say that they have seen company data stolen, hacked or otherwise compromised over the last year, largely due to "negligent employees".

And two in five Irish companies now rate external hacking as one of their top three IT threats, according to the national survey conducted by the Irish Computer Society.

A third of Irish firms say they have seen sensitive data slip out once in the last 12 months, while a further 22pc say it has happened multiple times in the same time period.

The ICS figures are likely to understate the flood of data breaches affecting Ireland, with a quarter of those responding to the survey admitting that they did not know whether they have let sensitive data slide or not.

While "negligent employees" remains the biggest data protection worry among Irish firms, "external attackers" have risen to become the second most feared security risk.

However, the actual instance of admitted "external attacks" has fallen from 18pc in 2015 to 7pc this year, according to the data. By contrast, almost three-quarters of data lost was caused by "staff members", most of which involved volumes of under 100 records.

Last year saw several notable data breaches among private and public companies. More than 300 civil servants fell victim to unencrypted personal details, including some payment details, being sent outside the system.

The survey, which was conducted for the Irish Computer Society by Fresh Perspectives, questioned companies of all sizes with the greatest single tranche representing organisations with over 200 employees. It found that 41pc of those who are made responsible for data protection issues within companies have had "insufficient" or "no" training.

It also found that over a quarter of Irish companies have taken no measures to protect against external data breach threats or are "not sure" whether they have done so.

Three quarters of Irish companies transfer data internationally with 41pc transacting outside the EU, the survey found. Such firms are likely to keep a close watch on current developments between the EU and US on the question of replacing the defunct 'Safe Harbour' data transfer agreement.

Meanwhile, 73pc of Irish organisations claim that they have taken some precautionary action against the spectre of data breaches, while 8pc say they have not.

However, only 34pc of companies here have fully implemented their own data protection policies across all of their units, with 56pc saying that measures have been partially implemented and 9pc saying that they have not been implemented.

And there is confusion among Irish companies about internal liability should a data breach occur. 41pc of Irish company executives say that they would face official sanctions in the case of a data breach, while 58pc say that there would be no sanction or that they were unaware of such sanctions.

Just 65pc of Irish executives say that their firm has an actual data breach policy.

Meanwhile, over a third of Irish companies are "not confident" that staff know what procedures to follow in the event of a data protection encounter".

Nevertheless, 79pc of companies have a named person in charge of data protection, with half of these residing in the IT department and just a fifth in the legal department.

The data from the Irish Computer Society comes amid a flurry of recent research suggesting that Irish companies are still blasé when it comes to protecting against data breaches. A recent survey from A&L Goodbody found that a majority of Irish businesses are not adhering to legal requirements around IT security and that the legal lapses are leaving Irish companies open to legal action as well as potential fines.

The survey of 200 Irish companies found that two-thirds do not have written IT security policies in place while three in five firms don't train staff on what to do. Such lapses contravene current Irish data protection law and could lead to harsher penalties under new laws to be introduced soon.

"We expect to see issues around this revisted in Irish courts soon," said John Whelan, head of A&L Goodbody's international technology practice. "The courts here have sometimes limited damages here to pecuniary ones as opposed to data-related ones, but there is a noticeable difference between UK and Irish courts in interpreting the same basic EU laws on the issue. I think you'll see the situation here evolve."

The research found that 63pc of Irish firms don't know what the legal situation is and half of Irish companies use off-site third parties to host their data without knowing what their IT security policies are. It also found that one in four company boards had not been briefed on their business' legal obligations and the mechanisms that were in place, if any, to deal with a cyber attack.

Indo Business

Also in Business