June 17, 2019

Shred-it Study Finds U.S. Business’ Information Security Plagued by Human Error, Insider Threats, and Deliberate Sabotage

LAKE FOREST, IL., June 17, 2019 - With the incidence of reported data breaches on the rise, more than half of all C-suite executives (C-Suites) (53%) and nearly three in 10 Small Business Owners (SBOs) (28%) who suffered a breach reveal that human error or accidental loss by an external vendor/source was the cause of the data breach. That is according to Shred-it's Ninth Annual Data Protection Report (formerly known as “The Security Tracker: State of the Industry Report”), which exposes information and data security risks currently threatening U.S. enterprises and small businesses and includes findings from a survey conducted by Ipsos.

When assessing additional causes of data breaches, the report found that nearly half of all C-Suites (47%) and one in three SBOs (31%) say human error or accidental loss by an employee/insider was the cause. What’s more, one in five C-Suites (21%) and nearly one in three SBOs (28%) admit deliberate theft or sabotage by an employee/insider was the cause of the data breach, compared to two in five C-Suites (43%) and one in three SBOs (31%) who say deliberate theft or sabotage by an external vendor/source caused their organization to suffer a data breach. 

“For the second consecutive year, employee negligence and collaboration with external vendors continues to threaten the information security of U.S. businesses,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions. “New to this year however, is that the report revealed how deliberate sabotage by both employees and external partners are very real risks organizations face today. The consequences of a data breach are extensive and are not limited to legal, financial and reputational damage. As the report showed, data breaches can affect employee retention too.”

While the result of a data breach can have a variety of consequences on U.S. businesses, one of the most important factors is that a breach has an immediate effect on employee trust in an organization. In fact, one-third (33%) of the U.S. workforce say they would likely look for a new job if their employer suffered a breach of customer (31%) or employee data (35%). What’s more, while nearly half of all consumers (47%) would wait to see how a business reacts to a data breach they’ve suffered before making up their mind about what to do, nearly one in four consumers (23%) would stop doing business with the company and nearly one-third (31%) would tell others about the breach. 

Additional findings from the report include:

Lack of training leaves employees unaware of information security policies and procedures.
  • When asked if their organization has a known and understood policy for storing and disposing of confidential paper documents, one in five (21%) of C-Suites admit they have a policy but that not all employees are aware of it and more than one in 10 (12%) of SBOs said the same.
  • Three in 10 (30%) of SBOs admit that no policy exists for storing and disposing of confidential paper documents.
  • When it comes to understanding policies for storing and disposing of end-of-life electronic devices, one in five C-Suites (21%) and SBOs (12%) say they have a policy, but not all employees are aware of it. Four in 10 (42%) SBOs say no policy exists in their organization.

U.S. businesses acknowledge remote work is important to employees, but worries of a data breach grow.
  • 94% of C-Suites and 79% of SBOs agree with the statement that they believe the option to work remotely is going to become increasingly important to their employees in the next 5 years.
  • However, 88% of C-Suites and 69% of SBOs agree with the statement that the risk of a data breach is higher when their employees work off-site than it is when they work at the office. 
  • One in six (16%) working Americans say their organization has suffered a data breach, at some point in the past.
Despite investments in digital security, U.S. businesses remain vulnerable due to lack of information and cyber security training.
  • Of the money their organization spends on data security, C-Suites say 59% is spent on digital security and 41% on physical document security, on average. SBOs say 56% is spent on digital security and 44% on physical document security, on average.
  • One in 10 C-Suites (10%) and nearly one in 10 SBOs (9%) say they train their staff only once during their employment on their organization’s information security policies and procedures.
  • Although the majority of C-Suites (88%) regularly train employees on how to identify common cyber-attack tactics such as phishing, ransomware, or other malware (malicious software), however, only slightly more than half of SBOs (52%) say the same.
  • Around three in five (58%) working Americans have been targeted by phishing email or social engineering scams at work, of which eight percent (8%) claim to have been victimized by them.
Americans think their personal data and information is less secure than it was 10 years ago. 
  • Consumer confidence in data security is low with more than half (60%) believing their personal data and information is less secure than it was 10 years ago. 
  • With those concerns, it’s no surprise that 83% of consumers say digital data security is a top priority when choosing who to do business with. 
  • Additionally, nearly seven in 10 consumers (66%) do not trust that all digital data breaches are properly disclosed to consumers and not kept secret. 

About the 2019 Data Protection Report
Shred-it commissioned Ipsos to conduct a quantitative online survey of Small Business Owners (SBOs) in the United States (n=1,000), with fewer than 100 employees and C-Suite Executives in the United States (n=100) with a minimum of 500 employees. Data for Small Business Owners is weighted by region. Data for C-Suite Executives is unweighted as the population is unknown. The precision of Ipsos online surveys is calculated via a credibility interval.  In this case, the U.S. SBO sample is considered accurate to within +/- 3.5 percentage points had all U.S. small business owners been surveyed, and the U.S. C-Suite sample is accurate to within +/- 11.2 percentage points had all US C-Suite Executives been surveyed. The fieldwork was conducted between March 26th and April 1st, 2019.

In addition to the quantitative online survey, Ipsos conducted a short omnibus survey among a gen pop sample of n=2,014 Americans about data protection and security. The credibility interval for this sample group is +/- 2.5 percentage points, 19 times out of 20, of what the results would have been had all adults in the U.S. over the age of 18 been surveyed.

About Shred-it
Shred-it is a world-leading information security service provided by Stericycle, Inc. Shred-it solutions ensure the security and integrity of private and confidential information, protecting more than 500,000 global, national and local businesses across 17 countries worldwide. For more information, please visit www.shredit.com.

About Ipsos
Ipsos is an independent market research company controlled and managed by research professionals. Founded in France in 1975, Ipsos has grown into a worldwide research group with a strong presence in all key markets. Ipsos ranks fourth in the global research industry.

With offices in 89 economies, Ipsos delivers insightful expertise across five research specializations: brand, advertising and media; customer loyalty; marketing; public affairs research; and survey management.

Ipsos researchers assess market potential and interpret market trends. They develop and build brands. They help clients build long-term relationships with their customers. They test advertising and study audience responses to various media and they measure public opinion around the globe.

Ipsos has been listed on the Paris Stock Exchange since 1999 and generated global revenues of €1,780.5 million in 2017.