Canadian Businesses Are Vulnerable in a Digital Age
The seventh annual Security Tracker Survey reveals Canadian businesses have few or no policies for managing electronic devices
Toronto - Consumers and employees need to feel confident that the sensitive information they entrust to businesses is protected. But what if businesses don't feel confident themselves?
The seventh annual Shred-it Information Security Tracker Survey, conducted by Ipsos, reveals that Canadian businesses may not be keeping up with the complex privacy and security risks associated with an evolving workplace environment and they know they're falling behind. Just over half (53 per cent) of Small Business Owners (SBOs) and just under half (48 per cent) of Canadian C-Suites don't feel confident about their current secure destruction systems for paper/electronic media.
When it comes to the use of electronic devices in small businesses, there is a striking gap between what SBOs perceive to be their greatest security risk and the current data protection policies they have in place. Sixty per cent of SBOs perceive their biggest information security risk in the next five to ten years to be either online threats (29 per cent), cloud computing (16 per cent) or the paperless office (15 per cent) all of which originate from electronic media. Yet, 46 per cent of SBOs don't have a policy in place for disposing of confidential data found on electronic devices. More concerning, 50 per cent of SBOs have no policy in place at all for governing the use of electronic devices in their business. And for those small businesses that have a practice for disposing of data found on electronic devices, the majority (59 per cent) wipe or dispose of their electronic materials containing confidential information in-house.
"Even if information on an electronic device is erased, reformatted or wiped, it's not always enough to protect confidential information. Destroying the device's hard drive is the only way to ensure the information is unrecoverable," says Paul Saabas, Vice President at Shred-it. "One of the best things any business can do to protect its customers over the long term is establish good data protection policies right from the start, which include securely and permanently destroying obsolete hard drives."
Contrary to their small business counterparts, a significant majority (87 per cent) of C-Suites work at organizations that have a policy in place for the use of electronic devices in their workplace. However, these measures are incomplete: 44 per cent don't have a policy in place that is strictly adhered to and known by all employees for disposing of confidential data found on those electronic devices. And 47 per cent don't require electronic devices to be both encrypted and password protected.
Furthermore, while 92 per cent of C-Suites recognize that it is either very important or somewhat important to have an external provider for hard drive destruction, over half (56 per cent) of C-Suites wipe or dispose of their electronic materials containing confidential information in-house.
"Without policies governing the use and destruction of electronic devices, Canadian businesses put their organization and reputations at risk by exposing sensitive customer, employee and business data," says Saabas. "While it's true that small businesses face different resource challenges than larger businesses, there are simple and low-cost best practices that all businesses should implement regardless of size."
The survey found that the lack of confidence Canadian businesses have in their own data destruction systems is coupled with a lack of confidence in the Canadian government's commitment to information security: only 12 per cent of SBOs and 31 per cent of C-Suites think the government is doing an excellent job.
While there may be a greater role for government in information security (52 per cent of C-Suites say that strict financial penalties for not adhering to document destruction legislation would put pressure on their organization to change its policies), it is the onus of businesses to protect their customers, their employees and themselves from data breaches.
To help Canadian businesses feel confident that their sensitive information on electronic devices is protected, Shred-it offers five simple and low-cost guidelines that businesses of all sizes can follow.
• Regularly clean out storage facilities and avoid stockpiling unused hard drives.
• Destroy all unused hard drives using a third-party provider that has a secure chain of custody to help give you peace of mind and ensure your data is kept out of the hands of fraudsters.
• Manage mobile devices by requiring that devices be signed out whenever they are taken out of the office. Put additional privacy safeguards in place such as requiring an authentication to unlock a device and teaching employees to never leave equipment unattended.
• Encrypt all electronic devices to make digital information unreadable. If lost or stolen, encryption will help protect the confidential information stored on the device and mitigate any compromising activity.
• Use password management tactics including multi-factor authentication, a password manager for generating and storing passwords, and a log-in abuse detection system.