According to the seventh annual Shred-it Information Security Tracker survey, conducted by Ipsos, Canadian businesses may not be keeping up with the complex privacy and digital security risks associated with a growing workplace environment.
According to the survey, 53 per cent of small business owners (SBOs) and 48 per cent of Canadian chief-level executives don’t feel confident about their current methods of securely disposing of paper/electronic media.
When it comes to the use of electronic devices in small businesses, there is a large gap between what SBOs believe to be their greatest security risk and the current data protection policies they have in place. Sixty per cent of SBOs believe their biggest information security risk in the next five to 10 years to be either online threats (29 per cent), cloud computing (16 per cent) or the paperless office (15 per cent). However, 46 per cent of SBOs don’t have a policy in place for disposing of confidential data found on electronic devices. In addition, 50 per cent of SBOs have no policy in place at all for governing the use of electronic devices in their business. In small businesses that have a process in place for disposing of data found on electronic devices, 59 per cent wipe or dispose of their electronic materials containing confidential information in-house.
“Even if information on an electronic device is erased, reformatted or wiped, it’s not always enough to protect confidential information. Destroying the device’s hard drive is the only way to ensure the information is unrecoverable,” says Paul Saabas, vice president at Shred-it, in a press release. “One of the best things any business can do to protect its customers over the long term is establish good data protection policies right from the start, which include securely and permanently destroying obsolete hard drives.”
Contrary to small business owners, 87 per cent of C-Suites work at organizations that have a policy in place for the use of electronic devices in their workplace. However, these measures are not quite complete, as 44 per cent don’t have a policy in place that is strictly adhered to and known by all employees for disposing of confidential data found on their devices. In addition, 47 per cent don’t require electronic devices to be both encrypted and password protected.
Although 92 per cent of C-Suites recognize that it is either very important or somewhat important to have an external provider for hard drive destruction, about 56 per cent of c-level executives wipe or dispose of their electronic materials in-house.
“Without policies governing the use and destruction of electronic devices, Canadian business put their organization and reputations at risk by exposing sensitive customer, employee and business data,” added Saabas. “While it’s true that small businesses face different resource challenges than larger businesses, there are simple and low-cost best practices that all businesses should implement regardless of size.”
The survey found that the lack of confidence businesses have in their own data destruction systems is paired with a lack of confidence in the Canadian government’s commitment to information security, as only 12 per cent of SBOs and 31 per cent of executives think the government is doing an excellent job.
Although government could play a greater role in information security by enforcing strict financial penalties for not adhering to document destruction legislation, it is the onus of the business to protect their customers, employees and themselves from data breaches.
To help Canadian businesses protect their sensitive information, Shred-it has compiled a few simple guidelines that all businesses can follow:
- regularly clean out storage facilities;
- destroy all unused hard drives using a third-party provider with a secure chain of custody;
- manage mobile devices by requiring them to be signed out whenever they are taken out of the office, use additional privacy safeguards, and educate employees on security;
- encrypt all electronic devices to make digital information unreadable; and
- use password management tactics, including multi-factor authentication, a password manager and a log-in abuse detection system.
Good policies governing electronic devices are important to prevent data breaches and ensure both the business and its customers feel confident that they are protected.