Shred-it study finds workplace mistakes put businesses at risk for data breaches

OAKVILLE, Ont. — Two thirds (68 per cent) of businesses reported their organization has experienced at least one data breach in the past 12 months, and nearly three in four (69 per cent) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information. That is according to a new report from document destruction firm Shred-it “The Security of Confidential Documents in the Workplace,” conducted by the Ponemon Institute, which reveals the discrepancy in priority between cybersecurity and physical security, and the mistakes employees and managers make that may be contributing to a rise in data breaches.

According to the report, typical workplace occurrences may be at the root of the problem as 65 per cent of managers are concerned their employees or contractors have printed and left behind a document that could lead to a data breach. Seven in 10 (71 per cent) managers have seen or picked up confidential documents left in the printer. Also, over three in four (77 per cent) managers admit they have accidentally sent an email containing sensitive information to the wrong person. What’s more, nearly nine in 10 (88 per cent) have received an email containing sensitive information from someone within or outside of their organization they were not intended to receive.

“The report reveals two key factors about information security in North American businesses– employee negligence, intentional or not, can be a leading contributor to data breaches and that businesses should equally consider the needs for cybersecurity and physical information security within their organization,” said Ann Nickolas, senior vice-president, Stericycle, the provider of Shred-it information security solutions. “Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches”

When exploring physical security versus cybersecurity, the report found that less than two in five (39 per cent) managers believe the protection of paper documents is just as important as the protection of electronic records. This may be why more than half (51 per cent) of managers say their organization does not have a process for disposing of paper documents containing sensitive information.

Additional findings from the report include:

Tech and business managers are not aligned on security responsibilities and protocols

• A quarter (25 per cent) of technology managers believe that CISOs are most responsible for granting access to paper documents or electronic devices containing sensitive or confidential information, compared to 1 per cent of business managers
• 22 per cent of business managers believe no one function is most responsible, compared to 16 per cent of technology managers
  • 16 per cent of business managers believe the business owner is most responsible, compared to 6 per cent of technology manager
• Fewer (32 per cent) tech managers than business managers (42 per cent) believe the protection of paper documents is just as important as the protection of electronic records
• Less than half (45 per cent) of tech managers and more than half (53 per cent) of business managers say their organization does not have a process for disposing of paper documents containing sensitive or confidential information after they’re no longer needed
  • After reviewing paper documents, more tech managers (41 per cent) than business managers (30 per cent) shred the documents, and more business managers (22 per cent) than tech managers (19 per cent) throw the documents in the garbage

Employees may be gaining access to sensitive or confidential information

• Organizations may not be taking all precautions to restrict employees from accessing physical paper documents they should not have access to:
  • Only a third (33 per cent) use physical security to prevent unauthorized access to document storage facilities
  • Nearly two in five (38 per cent) use filing cabinets or locked desks to store these documents
  • Less than a third (31 per cent) enforce a clean desk policy
  • Half (50 per cent) of managers say their organization does not take any of these steps
  • Nearly two thirds (60 per cent) of managers agree employees, temporary employees and contractors have access to paper documents that are not pertinent to their role or responsibility

Managers are also guilty of neglecting sensitive and confidential information

• More than half (51 per cent) of managers have no process for disposing of paper documents containing sensitive or confidential information after they are no longer needed
• After reviewing a paper document, more than a fifth (21 per cent) throw the document in the garbage
• The majority (54 per cent) of managers have been targeted by a phishing email or social engineering scam at work, but only 39 per cent of managers contacted their supervisor