August 17, 2016

Five Strategies to Help Companies Strengthen Information Security and Get Back to Business

CINCINNATI, Aug. 16, 2016 -- As summer comes to an end, Shred-it is reminding business leaders that one of the best ways to reduce the risk of data breaches is employee training. This is particularly important during the fall "back to business" season when many employees are returning to the office after a well-deserved summer break.

fall-into-info-security-training-program.PNGAccording to the 2016 Shred-it Security Tracker information security survey conducted by Ipsos, U.S. companies are not prioritizing employee training in their fight against fraud and data breaches. Seventy-eight percent of U.S. Small Business Owners and half (51 per cent) of C-Suite respondents report that they only conduct employee training on their company's information security procedures once a year or less. Furthermore, 28 per cent of U.S. Small Business Owners report they have never trained employees on how to comply with legal requirements or company information security procedures and 22 per cent only conduct training on an ad-hoc basis.   

"With employees returning to work in the fall, business leaders have a prime opportunity to engage their teams and raise awareness of information security risks. They can consider taking advantage of this time to launch a comprehensive training program that makes information security best practices a part of all employees' daily routine and responsibilities," says Andrew Lenardon, Global Director, Shred-it. "Successful programs focus on building organizational knowledge and capacity on the right way to manage, store and destroy physical and digital data. Without good training repeated throughout the year, employees can unintentionally expose their organizations to serious risks including reputational damage, theft, fraud and data loss."

Experts suggest that employees may forget 50 per cent of training information within one hour of a presentation, 70 per cent within 24 hours and an average of 90 per cent within a week. When you consider this, it is clear that training once a year or on an ad-hoc basis is not sufficient to ensure information security policies and procedures are being followed1.

"Repetition and frequency are the keys to helping employees understand their roles and responsibilities around data management," explains Lenardon.

A well-trained workforce is essential to protecting organizations from a potentially damaging data breach. Shred-it offers five tips to help organizations develop and execute a comprehensive employee training program.

1. Commit to a Culture of Security: When management demonstrates a commitment to information security, employees are more likely to follow suit. If managers behave in a way that undermines security policies and procedures, employees won't take them seriously either. Consider asking employees to take a pledge to make their workplace a more secure environment. Display the pledge in various locations throughout the office. To encourage participation from all areas of the business, consider appointing employees from a range of departments to participate on a committee focused on improving information security practices.

2. Repetition and Frequency is Key: Training should occur throughout the year and include various modules on organizational information security policies. Consider a "multichannel" approach utilizing a mix of in-person and digitally-delivered video training content to ensure employees are aware of how to handle and dispose of confidential information.

3. Out of Sight, Out of Mind: Place visual cues throughout the office to remind employees of their responsibilities in protecting confidential information. Reminder posters, such as this series of office security posters from Shred-it that targets common workplace errors and areas that increase the risk of a data breach.

4. Go where your Employees are: A growing number of employees are now working outside of the traditional office environment. Ensure training addresses the safe destruction of confidential information for both office and remote workers. Also leverage internal newsletters, intranet news feeds, employee and corporate social media accounts to provide constant reminders about different aspects of information security that employees can access regardless of their location. Keep the information short to make it more digestible.

5. Embed it: Make security best practices a seamless part of daily tasks. Implement a Shred-it all Policy, which requires all documents to be destroyed when they're no longer needed and a Clean Desk policy which encourages employees to clear their desks and lock documents in a filing cabinet or storage unit when they leave their workstation at the end of each day. When these policies become common practice, there is little decision left to employees on what should and shouldn't be destroyed.

All businesses should increase the priority of employee training to protect workplace information security. When all employees understand how to manage and identify privacy risks, business leaders are in a better position to protect their customers, their reputation and their people.

About Shred-it 
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients' private information. A wholly, owned subsidiary of Stericycle, Shred-it operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.com.

1 http://www.learningsolutionsmag.com/articles/1379/brain-science-the-forgetting-curvethe-dirty-secret-of-corporate-training