OAKVILLE, ON–Canadian businesses may be a little too confident in their information security practices. And that could pose problems both internally and with their customers that companies need to address.
These findings, and others, are contained in Shred-it’s 10th annual Data Protection Report (formerly “The Security Tracker: State of the Industry Report”). Based on a survey conducted by Ipsos, the report sheds light on trends in data protection practices and the risks Canadian businesses, organizations, and consumers face related to keeping their data secure.
The report, which was completed prior to the COVID-19 pandemic, also exposes that more focus is needed around information security in the home, where C-suite executives (C-suites) and small business owners (SBOs) feel the risk of a data breach is higher.
Ensuring consumer trust
The Data Protection Report found that external threats and physical property loss are the biggest information security threats to Canadian businesses. Yet emphasis on employee training and policies has declined in 2020. This could pose issues for businesses, as 86 percent of consumers indicated that physical and digital security is a top priority for them when choosing who to do business with.
- 66 percent of consumers are concerned that paper documents with their confidential information exist. 83 percent of consumers are concerned that private, personal information about them is hosted somewhere on the Internet; and
- If a company they did business with suffered a data breach and their personal data was compromised, consumers would tell others about the breach (31 percent). Moreover they may lose trust and demand to know what is being done to prevent future breaches (23 percent), seek compensation (23 percent), or stop doing business with them (24 percent).
The findings reinforce the need for business owners to have data protection policies in place. Threats to data security, both physical (including paper documents, laptop computers, and external hard drives) and digital (including malware, ransomware, and phishing attacks), have outpaced efforts and investments to combat them.
While technology advancements have allowed businesses to move their information to the cloud, only 6 percent of C-suites and 14 percent of SBOs operate in a paperless environment. Businesses still consume vast amounts of paper, dispelling the myth of offices going digital and signalling a need for oversight of physical information and data security.
Mitigating office, remote data breach risks
Both C-suites (18 percent) and SBOs (21 percent) indicated that physical loss or theft of sensitive information is the biggest information security threat facing their businesses. Yet although 93 percent of C-suites and 58 percent of SBOs have a known and understood policy for storing and disposing of confidential paper documents, only 62 percent of C-suite employees and 40 percent of SBO employees strictly adhere to the policy. In addition, 44 percent of SBOs have no policy in place for disposing of confidential information on end-of-life electronic devices.
While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launched employees into that status, leaving many without supporting policies. 83 percent of C-suites and 64 percent of SBOs agree the risk of a data breach is higher when their employees work off-site as opposed to in the office. But two-thirds (64 percent) of C-suites and only 36 percent of SBOs have confidential information storage and disposal policies for remote work that are strictly adhered to by employees. 42 percent of SBOs state that no policy exists at all.
This issue may well become more critical in the future. The majority of C-suites (76 percent) and SBOs (51 percent) had employees who regularly or periodically work off-site prior to the outbreak. And 90 percent of C-suites and 64 percent of SBOs believe that the option to work remotely will become increasingly important to their employees over the next five years.
“As we adjust to our new normal in the workplace, or at home, it’s crucial that policies are adapted to align with these changes and protect sensitive information,” said Cindy Miller, president and chief executive officer for Stericycle, the provider of Shred-it information security services. “As information security threats grow, it’s more important than ever that we help businesses and communities protect valuable documents and data from the risks of an information breach.”
Needed: better training on security procedures
Lack of frequent training could be causing adherence issues. 35 percent of C-suites and 16 percent of SBOs admitted that they offer training at least twice per year on their organizations’ information security policies and procedures.
Additionally, infrequent training could make organizations more vulnerable to security attacks. Nearly all (95 percent) C-suites and more than half (57 percent) of SBOs say they conduct some form of employee training on cyberattack tactics, such as phishing, ransomware, or other malware. But a statistically higher proportion of employees (10 percent; up 4 percent from 6 percent in 2019) have fallen victim to these scams in 2020 than 2019.
To learn more about how organizations can better protect their business against data breaches and receive additional survey findings, download Shred-it’s 2020 Data Protection Report.
“As a society, we are facing new information security challenges every day, from the rise of remote working to increased consumer concern,” said Michael Borromeo, vice president of data protection for Stericycle. “To protect businesses now and for the long haul, it’s instrumental that leaders re-evaluate information security training and protocols to adjust to our changing world and maintain consumer trust.”