The Most Damaging Data Breaches Are Preventable: Here's How

The Most Damaging Data Breaches Are Preventable: Here’s How

By Phil Muncaster • 17 July 2025

We all know that many organisations could do better at data protection. The UK government’s Cyber Security Breaches Survey 2025 highlights a whole list of shortcomings – from awareness training to incident response – that are indirectly exposing them to cyber risk. Even the existence of a rigorous data protection framework (GDPR/Data Protection Act 2018) for the past seven years has not served to stem the tide. The government claims over two-fifths (43%) of UK businesses have experienced an attack or breach in the past 12 months.

However, there are ample opportunities for quick wins, something highlighted by a new report from Huntsman Security. It notes that 30% of incidents reported to the UK and Australian data protection regulators last year were responsible for 90% of breach victims. As such, the report’s findings could offer a useful place for cash-strapped organisations to focus their immediate efforts.

How the UK and Australia Differ

Huntsman Security submitted a Freedom of Information (FOI) request to both the UK Information Commissioner’s Office (ICO) and the Australian Information Commissioner (OAIC). The results offer a slightly different picture of the regulatory and corporate security landscape in each country.

UK: Out of the 9,654 data security incidents reported by British firms to the ICO last year, 2,817 (29%) were linked to brute-force attacks, malware, phishing, ransomware, and system misconfigurations. Yet these incidents accounted for nearly 80% of breach victims: 13.9 million out of 17.6 million.

Huntsman Security claimed that these also represented 90% of cyber-related data security incidents, meaning that a focus on security controls could be an effective way to mitigate them. Many were apparently highly targeted and, therefore, designed to result in the theft of high-value data such as health records, financial information and identity documents.

Australia: A total of 1,188 incidents (32% of the total reported between 2022/24) involved brute-force attacks, malware, phishing, ransomware, hacking, and unauthorised access. These were responsible for 77% of all compromised records. The report also reveals that criminal attacks (as opposed to accidental breaches) accounted for 62% of all breaches but 98% of all victims.

The report also highlights that, in Australia, it took organisations 48 days to identify these breaches and 86 days before reporting them to the OAIC. That’s simply not allowed under the GDPR, where notification has to occur in most cases within 72 hours.

Where the UK Is Failing

These findings chime somewhat with the UK government breaches report. As reported previously by ISMS.online, it highlights a litany of issues contributing to a surge in preventable data breach incidents, including a general lack of:

Staff training programmes, where take-up hadn’t shifted from the previous year’s report
Third-party supplier risk reviews, which were conducted by only 32% of medium and 45% of large firms
Incident response plans, which were used by only half (53%) of medium-sized businesses and three-quarters (75%) of large businesses
Cybersecurity strategy: only 57% of mid-sized companies and 70% of larger firms even had one
Boardroom representation for cyber: only half 951%) of medium- and two-thirds (66%) of large-sized firms had someone sitting at the top table responsible for cyber strategy – a figure virtually unchanged for three years
Monthly cyber updates for business leaders, which only 39% of mid-sized and 55% of large firms do

Aligning Best Practice with Standards

There is one caveat to the Huntsman Security figures. It only counts incidents where a cause could be identified for each breach. Many more may not have one assigned due to poor forensics or incident response. However, it still highlights an important message. By focusing on the above incident types and threats, as well as best practice cybersecurity processes known to mitigate these risks, security teams can achieve some useful quick wins.

Morten Mjels, CEO of consultancy Green Raven, argues that culture is key to ensuring best practices are followed.

“The change does need to come from the top down, and you can change the culture by simply implementing multiple practices at once,” he tells ISMS.online. “If you have no idea about your potential exposure, get a risk assessment done professionally. They will be able to find the holes in your walls and can help you fix them. Do not rely on your IT people to fix everything; they are not omniscient miracle workers.”

Huntsman head of product management, Piers Wilson, tells ISMS.online that standards and frameworks like ISO 27001 and ISO 27701 “can form an important part of mitigating cyber risks through ensuring organisations understand their risks, following best practice and defining appropriate controls.”

He adds: “The important part is choosing which framework you apply: whether ISO, NIST, or smaller, more focused standards and schemes like Cyber Essentials or Australia’s Essential Eight.”

The goal throughout should be establishing a set of controls that are widely understood and acknowledged and then applied universally, he adds.

“In most cases, the intent or the policy isn’t the problem; it’s the execution. Standards compliance can risk becoming a tick-box exercise, and the cadence of audit and reporting may not be frequent enough for modern, changing cyber threats,” Wilson argues.

“An annual audit or quarterly report won’t give the real-time visibility and understanding of vulnerabilities that the modern threat landscape demands. In between these audits, the organisation’s posture can drift and be largely uncertain.”

This is why ISO 27001 requires organisations to carry out regular internal audits and ongoing monitoring to drive continuous improvement.

Wilson notes that effective communication is crucial to achieving compliance.

“Every stakeholder in an organisation, from security analysts to risk management teams and executives, needs to understand at a glance whether good, agreed practices are being followed, what state controls are actually in, and who is responsible for fixing issues,” he concludes.

“Ensuring this continuous visibility and communication is vital for these standards to have their desired effect.”

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

OT Risk Could Be a $330bn Problem: How Do We Solve It?

Business leaders neglect operational technology (OT) risk at their peril. These are the systems that power some of the UK’s most critical national ...

Phil Muncaster

Cyber security 11 September 2025

A Surge in VPN Use Could Be Risky for Businesses: Here’s How to Respond

The Online Safety Act (OSA) is one of the longest and most complex laws on the UK’s statute books. It’s also one of the most controversial, contain...

Phil Muncaster

Cyber security 2 September 2025