Canadian businesses need to step up data security measures: report

Shred-it released its 10th Anniversary Edition Data Protection Report, revealing an overly confident perception of information security practices within Canadian businesses at all levels.

The Data Protection Report found that external threats and physical property loss are the biggest information security threats to Canadian businesses. Yet, emphasis on employee training and policies has declined in 2020. With increased consumer expectations, it is more important than ever for businesses to rethink their information security training and policies. This decline could pose issues for businesses, as 86% of consumers indicated that physical and digital security is a top priority for them when choosing who to do business with.

The findings reinforce the need for business owners to have data protection policies in place as threats to data security, both physical (including paper documents, laptop computers and external hard drives) and digital (including malware, ransomware and phishing attacks), have outpaced efforts and investments to combat them. The report, which was completed prior to COVID-19, also exposes that more focus is needed around information security in the home, where C-suite executives (C-suites) and small business owners (SBOs) feel the risk of a data breach is higher.

While advancements in technology have allowed businesses to move their information to the cloud, only 6% of C-suites and 14% of SBOs operate in a paperless environment. Businesses still consume vast amounts of paper, dispelling the myth of offices going digital and signaling a need for oversight of physical information and data security.

C-suites (18%) and SBOs (21%) indicated that physical loss or theft of sensitive information is the biggest information security threat facing their business. Although 93% of C-suites and 58% of SBOs have a known and understood policy for storing and disposing of confidential paper documents, only 62% of C-suite employees and 40% of SBO employees strictly adhere to the policy. In addition, 44% of SBOs have no policy in place for disposing of confidential information on end-of-life electronic devices.

While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launched employees into work-from-home status, many without supporting policies. The majority of C-suites (76%) and SBOs (51%) had employees who regularly or periodically work off-site. While 83% of C-suites and 64% of SBOs agree the risk of a data breach is higher when their employees work off-site as opposed to in the office, just two thirds (64%) of C-suites and 36% of SBOs have remote work policies in place that are strictly adhered to by employees.

“As we adjust to our new normal in the workplace, or at home, it’s crucial that policies are adapted to align with these changes and protect sensitive information,” said Cindy Miller, president and chief executive officer for Stericycle, the provider of Shred-it information security services, in a prepared statement. “As information security threats grow, it’s more important than ever that we help businesses and communities protect valuable documents and data from the risks of an information breach.”

Lack of frequent training could be causing adherence issues with 35% of C-suites and 16% of SBOs admitting they offer training at least twice per year on their organization’s information security policies and procedures. Additionally, infrequent training could make organizations more vulnerable to security attacks. While nearly all (95%) C-suites and more than half (57%) of SBOs say they conduct some form of employee training on cyber-attack tactics, such as phishing, ransomware or other malware, a statistically higher proportion of employees (10%; up 4% from 6% in 2019) have fallen victim to these scams in 2020 than 2019.

“As a society, we are facing new information security challenges every day, from the rise of remote working to increased consumer concern,” said Michael Borromeo, vice-president of data protection for Stericycle, the provider of Shred-it information security services. “To protect businesses now and for the long haul, it’s instrumental that leaders reevaluate information security training and protocols to adjust to our changing world and maintain consumer trust.”

Additional findings from the report include:

While many Canadian businesses feel they are getting better at protecting sensitive information, declining consumer trust and increased expectations may impact the bottom line

• 66% percent of consumers are concerned that paper documents with their confidential information exist, and 83% of consumers are concerned that private, personal information about them is hosted somewhere on the internet.
• If a company they did business with suffered a data breach and their personal data was compromised, consumers would tell others about the breach (31%), lose trust and demand to know what is being done to prevent future breaches (23%), seek compensation (23%) or stop doing business with them (24%).

Remote work has increased over the years, but information security policies are lacking

• Prior to the COVID-19 pandemic, 76% of C-suites and 51% of SBOs had employees who regularly or periodically worked off-site.
• 90% of C-suites and 64% of SBOs believe that the option to work remotely will become increasingly important to their employees over the next five years.
• While 53% of SBOs have a policy in place for storing and disposing of confidential information when employees work off-site, only 36% of SBOs indicate that their policy is strictly adhered to by all employees. 42% of SBOs state that no policy exists at all.
• 83% of C-suites and 64% of SBOs agree the risk of a data breach is higher when employees work off-site than when they work at the office.