October 26, 2020

Shred-it 10th Anniversary Data Protection Report Finds Decline in Information Security Training and Policies May Negatively Impact U.S. Businesses

BANNOCKBURN, IL – October 26, 2020 – Shred-it, a leading information security service provided by Stericycle Inc. (Nasdaq: SRCL), announced today the release of its 10th Anniversary Edition Data Protection Report (formerly known as “The Security Tracker: State of the Industry Report”), which outlines data security risks threatening U.S. enterprises and small businesses. The findings are based on a survey conducted by Ipsos, shedding light on trends in data protection practices and the risks American businesses, organizations, and consumers face related to keeping their data secure.
 
According to the report, nearly half (43%; up 21% from 2017) of C-suite executives (C-suites) and 12% (up 7% from 2017) of small business owners (SBOs) have experienced a data breach. While companies are getting better at protecting their customers’ personal and sensitive information, their focus on security training and protocols has declined in the last year. This decline could pose issues for businesses, as 83% of consumers say they prefer to do business with companies who prioritize protecting their physical and digital data.
 
The findings reinforce the need for business owners to have data protection policies in place as threats to data security, both physical (including paper documents, laptop computers or external hard drives) and digital (including malware, ransomware and phishing scams), have outpaced efforts and investments to combat them. The report, which was completed prior to COVID-19, also exposes that more focus is needed around information security in the home, where C-suites and SBOs feel the risk of a data breach is higher.
 
While advancements in technology have allowed businesses to move their information to the cloud, only 7% of C-suites and 18% of SBOs operate in a paperless environment. Businesses still consume vast amounts of paper, dispelling the myth of offices going digital and signaling a need for oversight of physical information and data security.
 
Having policies in place can mitigate the risk of physical security breaches
C-suites and SBOs indicated external threats from vendors or contractors (25% C-suites; 18% SBOs) and physical loss or theft of sensitive information (22% C-suites, 19% SBOs) are the top information security threats facing their business. Yet, the number of organizations with a known and understood policy for storing and disposing of confidential paper documents adhered to by all employees has declined 13% for C-suites (73% in 2019 to 60% in 2020) and 11% for SBOs (57% in 2019 to 46% in 2020). In addition, 49% of SBOs have no policy in place for disposing of confidential information on end-of-life electronic devices. 
 
While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launched employees into work-from-home status, many without supporting policies. The majority of C-suites (77%) and SBOs (53%) had employees who regularly or periodically work off-site. Despite this trend, just over half (53%) of C-suites and 41% of SBOs have remote work policies in place that are strictly adhered to by employees working remotely (down 18% from 71% in 2019 for C-suites; down 8% from 49% in 2019 for SBOs).
 
“As we adjust to our new normal in the workplace, or at home, it’s crucial that policies are adapted to align with these changes and protect sensitive information,” said Cindy Miller, president and chief executive officer for Stericycle, the provider of Shred-it information security services. “As information security threats grow, it’s more important than ever that we help businesses and communities protect valuable documents and data from the risks of an information breach.”
 
Better training on security procedures and policies is needed
When it comes to training, 24% of C-suites and 54% of SBOs reported having no regular employee training on information security procedures or policies. Additionally, the number of organizations that regularly train employees on how to identify common cyber-attack tactics, such as phishing, ransomware or other malicious software, declined 6% for C-suites (from 88% in 2019 to 82% in 2020) and 7% for SBOs (from 52% in 2019 to 45% in 2020).
 
“As a society, we are facing new information security challenges every day, from the rise of remote working to increased consumer concern,” said Michael Borromeo, vice president of data protection for Stericycle, the provider of Shred-it information security services. “To protect businesses now and for the long haul, it’s instrumental that leaders reevaluate information security training and protocols to adjust to our changing world and maintain consumer trust.”
 
Additional findings from the report include:
 
While many U.S. businesses feel they are getting better at protecting sensitive information, declining consumer trust and increased expectations may impact the bottom line

  • 86% of consumers are concerned that private, personal information about them is present on the internet.
  • Nearly a quarter (24%) of consumers would stop doing business with a company if their personal information was compromised in a data breach. Beyond losing their loyalty, consumers would lose trust in the business (31%) and demand to know what the business is doing to prevent future breaches (31%).
  • Less than two in five (38%) consumers trust that all physical and digital data breaches are properly disclosed to consumers (up 4% from 34% in 2019).

Businesses are reducing focus on policies for disposing of confidential information despite physical theft and vendor threats being top risks

  • While more than half (60%) of C-suites and nearly half (46%) of SBOs have a known and understood policy for storing and disposing of confidential paper documents, strict employee adherence to these policies has declined from 2019. Down 13% from 73% in 2019 for C-suites and down 11% from 57% in 2019 for SBOs.
  • Additionally, one in ten (10%) C-suites and 38% of SBOs admit they have no policies in place for disposing of confidential paper documents, up 4% for C-suites (from 10% in 2019) and 8% for SBOs (from 30% in 2019).

Remote work has increased over the years, but information security policies are lacking

  • Prior to the COVID-19 pandemic, nearly half (45%) of small businesses did not have a policy for storing and disposing of confidential information when employees work off-site from the office.
  • A secondary Shred-it study found that 75% of employees own a home printer that they use to print work documents and 43% print work-related documents weekly.

To learn more about how organizations can better protect their business against data breaches and receive additional survey findings, download Shred-it’s 2020 Data Protection Report here.

About the 2020 Data Protection Report
Shred-it commissioned Ipsos to conduct a quantitative online survey of small business owners (SBOs) in the United States (n=1,000), with fewer than 100 employees and C-suite executives in the United States (n=100) with a minimum of 500 employees. Data for small business owners is weighted by region. Data for C-suite executives is unweighted as the population is unknown. The precision of Ipsos online surveys is calculated via a credibility interval. In this case, the U.S. SBO sample is considered accurate to within +/- 3.7 percentage points had all U.S. small business owners been surveyed, and the U.S. C-suite sample is accurate to within +/- 11.2 percentage points had all U.S. C-suite executives been surveyed. The fieldwork was conducted between February 27 and March 9, 2020.
 
In addition to the quantitative online survey, Ipsos conducted a short omnibus survey among a general population sample of n=2,011 Americans regarding data protection and security. The credibility interval for this sample group is +/- 2.5 percentage points, 19 times out of 20, of what the results would have been had all adults in the U.S. over the age of 18 been surveyed.
 
About Shred-it:
Shred-it is an information security service provided by Stericycle, Inc. Shred-it’s leading information destruction solutions ensure the security and integrity of private and confidential information, protecting global, national and local businesses across 14 countries worldwide. For more information, please visit www.shredit.com.