TORONTO, ON -- June 18, 2013 — Companies exchange sensitive information on a daily basis, but when it comes to protecting data from falling into the wrong hands, many Canadian businesses of all sizes are taking a passive approach to their information security. A recent study conducted by Ipsos Reid on behalf of Shred-it demonstrates that Canadian businesses lack not only awareness about information security breaches – they also underestimate a breach’s potential, making them vulnerable to data loss and possible financial and reputational damage.
The 2013 Shred-it Information Security Tracker revealed that both large and small Canadian businesses are not being vigilant enough when it comes to their information security policies and protocols. Combine this with a recent survey from the Office of the Privacy Commissioner of Canada that reveals just 13 per cent of Canadians feel businesses take the protection of their personal information seriously, consumers across the country are looking to businesses to take action and make information security a priority.
Industry Regulations? What regulations!
Despite this popular sentiment and the very real consequences of inaction, 22 per cent of small businesses indicate they are either not at all, or not very aware of their industry’s legal requirements for storing or disposing of confidential data, compared to just five per cent of large businesses. While large businesses are more aware of requirements, more than half (57 per cent) admit that while they have a protocol, not all employees are aware of it. Alarmingly, 40 per cent of small businesses admit to having no protocol at all in place.
A crucial first step for practicing effective information security is awareness of policies, but businesses across the board are not training staff regularly. Only six per cent of small businesses and 24 per cent of large businesses train staff on the company’s information security policies and procedures twice a year. One-third (33 per cent) of small businesses admit to never training their staff at all, while nearly half (44 per cent) of small businesses train only on an “as-needed” basis.
“It may be tempting for businesses to put information security on the back burner, particularly if they’ve never experienced a data breach,” says Bruce Andrew, Vice President Shred-it. “By making information security an important part of the organizational culture and by actively and regularly training all staff on the proper policies and protocols, businesses can make the safeguarding of sensitive data a company-wide practice potentially saving themselves from both financial and reputational damage.”
The 2013 Security Tracker also demonstrates an increase in the number of large Canadian organizations who report having no one responsible for managing data security issues (19 per cent, up from six per cent in 2012), while small businesses remain consistent year-over-year (45 per cent in 2013 compared to 47 per cent in 2012). Further, a considerable amount of companies of any size operating in the professional services sector (46 per cent), retail sector (45 per cent) and the public sector (42 per cent) report that they too do not have anyone in charge of their company’s information security.
Canadian businesses also continue to be complacent about securing their electronic media and hard drives. These obsolete media devices contain a wealth of data and Canadian companies are generally unaware that the most effective way to prevent retrieval of this information is by fully destroying the device (18 per cent of large businesses do so, compared to 14 per cent of small businesses). Nearly half of Canadian companies both large and small (44 per cent) mistakenly believe that wiping or degaussing a hard drive will render the data irretrievable, meaning that the majority of Canadian businesses inadvertently put themselves and their customers at risk of data being recovered.
A data breach could damage any organization’s bottom line, with the prospect of losing revenue, reputation or clients. The financial impact for those businesses that reported being victims of a breach appears to be on the rise, as 15 per cent of large businesses who experienced a breach indicated a loss of more than $500,000 (up from just three per cent in 2012).
It is crucial that businesses of any size take proactive steps to prevent data breaches; however, organizations may be leaving themselves, their clients or their customers at risk if their business partners or members of their supply chain do not have similar policies and protocols.
“Businesses may not realize that while they may have implemented a strict policy to protect confidential data, the information they have shared with partners and vendors may not be so secure,” says Andrew. “All it takes is one gap for a breach to occur and a reputation to be damaged.”
With that in mind, Canadian companies should consider reevaluating the risks associated with sharing data with members of their supply chain. Do these partners also demonstrate a commitment to information security? By creating a far-reaching information security policy that encompasses business partners and suppliers, companies can do a more effective job of protecting the confidential data of all Canadians.
Companies looking to put an information security policy and process in place are urged to apply for a free risk assessment service by a trained and background checked Shred-it representative. An online risk assessment survey is also available on the website. This will help you to determine how you are managing confidential information and the information destruction process. Having a system in place will better protect the overall business supply chain against the impact of a data security breach.
Shred-it is a world-leading information security company providing document destruction services that ensure the security and integrity of our clients' private information. The company operates 140 service locations in 16 countries worldwide, servicing more than 150,000 global, national and local businesses, including the world's top intelligence and security agencies, more than 500 police forces, 1,500 hospitals, 8,500 bank branches and 1,200 universities and colleges. For more information, please visit www.shredit.com
About Ipsos Reid:
Ipsos Reid is Canada's market intelligence leader, the country's leading provider of public opinion research, and research partner for loyalty and forecasting and modeling insights. With operations in eight cities, Ipsos Reid employs more than 600 research professionals and support staff in Canada. The company has the biggest network of telephone call centres in the country, as well as the largest pre-recruited household and online panels. Ipsos Reid's marketing research and public affairs practices offer the premier suite of research vehicles in Canada, all of which provide clients with actionable and relevant information. Staffed with seasoned research consultants with extensive industry-specific backgrounds, Ipsos Reid offers syndicated information or custom solutions across key sectors of the Canadian economy, including consumer packaged goods, financial services, automotive, retail, and technology & telecommunications. Ipsos Reid is an Ipsos company, a leading global survey-based market research group. To learn more, visit www.ipsos.ca
About the 2013 Security Tracker:
Ipsos Reid conducted a quantitative online survey of two distinct sample groups: 1003 small business owners in Canada (all of which have fewer than 100 employees), and 100 C-suite executives working for businesses in Canada with a minimum of 100 employees. Data are unweighted as the sample universe is unknown. This survey is considered accurate to within 3.5 percentage points had all small business owners been surveyed and to within 11.2 percentage points had all C-suites been surveyed. The fieldwork was conducted between April 16 and 23, 2013.
On behalf of Shred-it