Businesses are deprioritizing information security and decreasing their investment in the destruction of confidential information, according to Shred-it.
According to the study, 86% of c-suite executives are aware of the legal requirements supporting the protection of confidential data, however one in five have never performed a security audit, down 13% from 2013.
The study also found that almost half of the small business owners surveyed conduct no regular audits of their security protocols, while 3 in 10 have never even performed an audit. Further, 33% of c-suite executives acknowledge having both a locked console in the office for confidential documents; this is down 22% from last year. The study also found that almost half of the small businesses owners surveyed have no protocol for storing and disposing of confidential information.
“In the 4 years we’ve been conducting this study, this is the first year we’ve seen a country deprioritize information security. This is alarming given the fact that companies are facing an increasing number of security risks and should be making information security a priority.” said Bruce Andrew, Executive Vice President at Shred-it. “It is more important than ever before that business leaders understand the financial and reputational implications when confidential documents fall into the wrong hands. Protecting information and preventing fraudulent activity doesn’t have to be an onerous task.”
- 43% of c-suite executives would encourage new privacy information laws requiring stricter compliance and larger enforceable penalties
- C-suite executives who just throw sensitive documents into the garbage has increased to 10% from 1 percent
- 70% of small business owners and 30% of c-suite executives don’t have a cyber-security policy in place
- 15% of c-suite executives surveyed are likely to have never trained staff on security procedures, and are less likely to report on staff training occurring at least once a year. This is up 13% from 2013
- Only 38% of c-suite executives admit to having an employee directly responsible for managing data security issues at the management level, this is down 23% from 2013
- C-suites are twice as likely not to have an employee responsible for managing data security issues in their workplace, up 11% from 2013.
Results also show that businesses of all sizes lack awareness about information security breaches, and they underestimate the potential financial and reputational implications. Four in 10 small businesses owners, and 2 in 10 c-suite executives, do not think lost or stolen data would seriously impact their business. Further, 1 in 5 small business owners and c-suite executives admit to not knowing how their business would be impacted in the event data was stolen or lost, while 2 in 10 c-suite executives admit to having experienced lost or stolen data resulting in a financial impact to their business.
“Businesses can no longer remain complacent. Procedures and protocols to protect information need to be established to ensure confidentiality of information,” says Andrew. “The study clearly shows us that business leaders are looking for more commitment from the US government and, given change takes time, we’re suggesting that business leaders take responsibility by doing all they can to establish a culture of security.”
The following simple steps can help organizations begin establishing a culture of security:
- Demonstrate a top-down commitment from management to the total security of your business and customer information
- Establish a formal information security policy; train employees to know the policies well and follow them rigorously
- Introduce a “shred-all” policy, where unneeded documents are fully destroyed on a regular basis; remove the decision-making process regarding what is and isn’t confidential
- Introduce special locked containers instead of traditional recycling bins for disposing of confidential documents
- Conduct periodic security audits. If you don’t have the resources to implement a secure document destruction program, work with a reliable third-party vendor.