Data breaches aren’t just IT’s problem…

Let’s be honest, in today’s hyper-connected world, some industries are sitting ducks for cybercrime.

Our latest analysis of ICO data shows nearly 22,000 businesses and public sector organisations self-reported data breaches between 2023 and Q1 2025.

UK GDPR legislation defines a personal data breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

Examples include sending an email to the wrong recipient, a lost laptop containing personal data, a cyberattack that exposes customer records or staff sharing sensitive data inappropriately or without authorisation.

The health sector has the highest rates of self-reporting for personal data breaches, totalling 3,820 between 2023 and 2025 (up to Q1). In close second is education and childcare (3,246), followed by retail and manufacturing (2,385) and finance, insurance, and credit (2,175).

Many of these sectors are also heavily regulated and operate under close public scrutiny. Because of this, organisations often adopt a risk-averse reporting approach.

But here’s the thing: breaches aren’t just a tech problem. They affect people too, and that’s where workplace wellbeing comes in…

Why your work environment matters for data protection

Think about it, if your team is stressed, overworked, or burnt out, the chances of mistakes go up. And mistakes lead to breaches.

Currently, over half of UK employees say the demands of their job cause excessive stress and the latest research shows poor employee mental health costs UK employers £51 billion a year, with 63 percent experiencing at least one symptom of burnout.

A poor work environment can increase the likelihood of cyber breaches through negative behaviours. When people are anxious, tired, or under pressure, judgment can slip. Developers might skip security checks. Staff might ignore cybersecurity advice just to hit targets - studies show 74 percent of people would bend the rules to meet business goals.

Even after a breach, the stress doesn’t end. ICO investigations can slow work down, limit system access, and shake morale, especially if sensitive data is involved.

So, what actions can companies take?

#1. Create a culture of clarity and protection

A positive security culture doesn’t mean actions lack consequences. Employees should feel safe to ask questions, and report concerns.

This can be tricky to push if some employees already have a negative perception of workplace security.

A constant stream of security alerts can overwhelm employees, causing them to ignore even important messages. Managing numerous passwords and new work applications can compromise password security, as employees often reuse or create weak passwords.

All of these factors can make security feel like a chore – not a priority.

To improve the cybersecurity outlook, involve employees with regular phishing simulations and instant positive feedback for reporting suspicious activity. Making training interactive maintains engagement and helps foster a culture of appreciation.

Our research found that when employees feel appreciated at work, 88 percent are more likely to work harder for the business. This is why it can also be helpful to introduce recognition programmes to reward employees who follow best practices.

#2 Help employees manage stress

According to research, 95 per cent of cyber breaches result from human error, and, as mentioned earlier, overwork and stress can be significant contributors to mistakes that lead to data breaches.

This is why it’s important to ensure all project planning includes breathing room for employees, allowing space for security considerations and for mistakes to be made and fixed.

There also needs to be collaboration across all departments to make sure the impact of a data breach is evenly spread and that the stress doesn’t just fall on one team to resolve the issues.

For example, HR and IT should collaborate to safeguard sensitive employee and client data, and ensure that staff are aware of support available for mental wellbeing in the event of a data breach.

This may include Employee Assistance Programmes (EAPs), which support staff with issues like stress at home or work, financial difficulties and family and relationship concerns.

#3 Prepare a breach response in advance

You can’t predict exactly when a cyber incident will hit, but having a solid plan makes a huge difference, financially, operationally, and emotionally.

Staff feel calmer when they know what to do, and the business can act quickly, meet legal obligations, and protect its reputation.

Prompt and decisive actions also restore public confidence and trust and reassure shareholders.

Define clear procedures for notifying internal stakeholders, both employees and board members, as well as external parties like customers and stakeholders.

Make sure breach response plans are clear, accessible, and communicated - no one should be scrambling to find instructions when things go wrong.

#4 Offer real-time cybersecurity training

The sophistication of cyber threats is continually evolving, and business leaders must stay ahead by providing training that is both relevant and easily accessible to all employees.

Make security training both interactive and rewarding whenever possible. Practical and engaging training ensures that employees remain security-conscious in their daily work and don’t just think of it as IT’s responsibility.

Instead of isolated sessions, make training ongoing and interactive, with real-world simulations and gamified activities. Not only will this increase staff uptake in training, it will also make it front of mind during their day-to-days.

The bottom line?

Data protection isn’t just about tech. It’s about people, their wellbeing, and creating a workplace culture where security is second nature.

Look after your employees, and they’ll help look after your data too.

‍