Large and small Canadian businesses increasingly complacent about information security; report
Companies exchange sensitive information on a daily basis, but when it comes to protecting data from falling into the wrong hands, many Canadian businesses of all sizes are taking a passive approach to their information security.
A recent study conducted by Ipsos Reid on behalf of Shred-it demonstrates that Canadian businesses lack not only awareness about information security breaches – they also underestimate a breach’s potential, making them vulnerable to data loss and possible financial and reputational damage.
The 2013 Shred-it Information Security Tracker revealed that both large and small Canadian businesses are not being vigilant enough when it comes to their information security policies and protocols. Combine this with a recent survey from the Office of the Privacy Commissioner of Canada that reveals just 13 per cent of Canadians feel businesses take the protection of their personal information seriously, consumers across the country are looking to businesses to take action and make information security a priority.
Regulations? What regulations!
Despite this popular sentiment and the very real consequences of inaction, 22 per cent of small businesses indicate they are either not at all, or not very aware of their industry’s legal requirements for storing or disposing of confidential data, compared to just five per cent of large businesses. While large businesses are more aware of requirements, more than half (57 per cent) admit that while they have a protocol, not all employees are aware of it. Alarmingly, 40 per cent of small businesses admit to having no protocol at all in place.
A crucial first step for practicing effective information security is awareness of policies, but businesses across the board are not training staff regularly. Only six per cent of small businesses and 24 per cent of large businesses train staff on the company’s information security policies and procedures twice a year. One-third (33 per cent) of small businesses admit to never training their staff at all, while nearly half (44 per cent) of small businesses train only on an “as-needed” basis.
“It may be tempting for businesses to put information security on the back burner, particularly if they’ve never experienced a data breach,” says Bruce Andrew, Vice President Shred-it. “By making information security an important part of the organizational culture and by actively and regularly training all staff on the proper policies and protocols, businesses can make the safeguarding of sensitive data a company-wide practice potentially saving themselves from both financial and reputational damage.”
The 2013 Security Tracker also demonstrates an increase in the number of large Canadian organizations who report having no one responsible for managing data security issues (19 per cent, up from six per cent in 2012), while small businesses remain consistent year-over-year (45 per cent in 2013 compared to 47 per cent in 2012). Further, a considerable amount of companies of any size operating in the professional services sector (46 per cent), retail sector (45 per cent) and the public sector (42 per cent) report that they too do not have anyone in charge of their company’s information security.
Canadian businesses also continue to be complacent about securing their electronic media and hard drives. These obsolete media devices contain a wealth of data and Canadian companies are generally unaware that the most effective way to prevent retrieval of this information is by fully destroying the device (18 per cent of large businesses do so, compared to 14 per cent of small businesses). Nearly half of Canadian companies both large and small (44 per cent) mistakenly believe that wiping or degaussing a hard drive will render the data irretrievable, meaning that the majority of Canadian businesses inadvertently put themselves and their customers at risk of data being recovered.
A data breach could damage any organization’s bottom line, with the prospect of losing revenue, reputation or clients. The financial impact for those businesses that reported being victims of a breach appears to be on the rise, as 15 per cent of large businesses who experienced a breach indicated a loss of more than $500,000 (up from just three per cent in 2012).
It is crucial that businesses of any size take proactive steps to prevent data breaches; however, organizations may be leaving themselves, their clients or their customers at risk if their business partners or members of their supply chain do not have similar policies and protocols.
“Businesses may not realize that while they may have implemented a strict policy to protect confidential data, the information they have shared with partners and vendors may not be so secure,” says Andrew. “All it takes is one gap for a breach to occur and a reputation to be damaged.”
With that in mind, Canadian companies should consider reevaluating the risks associated with sharing data with members of their supply chain. Do these partners also demonstrate a commitment to information security? By creating a far-reaching information security policy that encompasses business partners and suppliers, companies can do a more effective job of protecting the confidential data of all Canadians.