Fraud Prevention Month: Businesses should avoid making these common mistakes

According to the 2014 Shred-it Information Security Tracker, one in four organizations in Canada have never audited their company’s protocols for storing and disposing of confidential information. That opens those companies to security risks and the opportunity for fraud. Even more concerning is that companies that don’t audit aren’t even aware that a problem exists or how they could mitigate it.

“The first step in improving information security is conducting a thorough assessment of the vulnerabilities in your business,” said Bruce Andrew, EVP, Shred-it. “Once you have that knowledge and awareness, your business can take concrete action to lower risk and become more secure.”

There are a number of common mistakes that businesses make that are easily identifiable by examining their current information security procedures.

Shred-it has identified the following top ten mistakes businesses make that undermine their information security:

1. Allow non-secure recycling bins and wastepaper baskets: Disposing information in an unsecure bin is just as risky as leaving it at a printer or on a desk. A shred-all policy eliminates the guesswork of what is and isn’t confidential from the process and ensures that employees don’t accidentally leave confidential information in unsecure bins. A third-party provider will also ensure that the material is recycled.

2. Allow employees to leave documents on their desks or in unlocked filing cabinets: In today’s busy work environment it is natural to keep documents in close proximity, resulting in loose paperwork being stored on desktops. Without a clear desk policy or lockable storage units for employees to protect confidential information, any paperwork is vulnerable to snooping and data theft, and available to outside staff such as cleaners and building maintenance.

3. Don’t secure printers: Many offices do not require employees to use a security code to complete a print job, which means that confidential information is frequently printed and left at printing stations. Also, businesses often overlook physically destroying hard drives on printers at end of life, not realizing that the information that’s been printed is stored in a printer’s memory.

4. Allow employees to remove confidential information from the office:  In the past, employees generally worked at the office and rested at home. With an increasingly mobile workplace, people now take their work away from the office. While convenient, that means that confidential information may be left in areas that are unsecure. Companies should caution employees to only take or print confidential information outside the workplace when absolutely necessary and instruct them on proper secure disposal.

5. Allow employees to use personal smartphones without reviewing security measures: Smartphones allow employees to work from almost anywhere. They also allow another point of access to potentially confidential material. If your company doesn’t require the use of passwords (at a minimum) or encryption as part of your cyber security plan, the risk of a data breach increases.

6. Don’t properly manage IT devices: Electronic storage devices are very convenient when you can’t access the company network, but they also raise the risk of fraud. Businesses can reduce the risk of fraud by requiring that storage devices be signed out and ensuring that they are securely destroyed when they reach the end of their use.

7. Use whiteboards for team projects without clearing them: A collaborative workplace can result in increased productivity and innovative thinking. However just as loose paperwork on a desk is vulnerable to snooping, confidential information left on whiteboards can increase an organization’s security risks as the information is available in common areas for any passerby to see. It’s important to ensure policies extend to the clearing of whiteboards to ensure information doesn’t fall into the wrong hands.

8. Allow password sharing on shared accounts without clear transition policies: Using a shared online account between multiple employees is convenient and can limit the number of accounts in use. However, using a common password that multiple people know increases vulnerability, especially when an employee leaves the company.

9. Don’t train your employees: The best information security policy is the one that employees follow. If employees don’t understand how or why to follow a policy, it’s pretty much dead on arrival. By investing the time in helping employees follow the rules, your company is investing in real security.

10. Revisit and assess existing policies: As organizations change and grow, so do their information security risks. While many business leaders will include risk assessments of new programs at the onset of implementation, it is important to regularly revisit security policies and procedures to ensure they reflect the realities of a constantly changing business.

Business leaders need to acknowledge vulnerabilities within the workplace and take action to introduce policies and procedures that will help reduce the risk of fraud.