- Over two-fifths of businesses think employees pose the biggest risk to information security today
- Just 16 percent of c-suite execs say deliberate theft or sabotage by a third party is the most likely source of a data breach
- Business leaders see legislation as key to affecting change
Businesses in Australia view human error as a larger threat to information security than deliberate theft or sabotage from a third party, according to global information security company Shred-it’s second annual Australian Information Security Tracker study.
The survey, based on responses from more than 1,100 businesses in Australia, shows that businesses are at risk of damaging data breaches caused by human error due to inconsistent knowledge of information security risks and poor implementation of security policies and protocols.
Human error or accidental loss by an employee is identified as the biggest source of a potential data breach, with 38 percent of C-Suite executives and 46 percent of small business owners recognising this as an area of concern. Despite this, almost a third (29 percent) of small and medium sized businesses (SMEs) and 5 percent of larger organisations said they had either never trained their staff on information security policies or didn’t have these policies in place. A further third (33 percent) of SMEs said they had no documents that would cause their business harm if stolen, despite the fact that all businesses deal with confidential information such as employee records, customer information and other personal, financial and proprietary company data.
William White, National Sales Manager, Shred-it Australia, commented; “The issue of employee error is understandably a large concern to businesses in Australia. Deceptively simple actions such as leaving paperwork containing client information on your desk or throwing old invoices in the recycling bin could potentially have a damaging impact on any organisation. Leaked confidential information can not only hurt a company’s reputation but also put them on the wrong side of the law. Businesses must understand the responsibility they have to ensure their employees fully understand how to handle and dispose of information. An educated workforce is one of the first steps to ensuring your organisation is protected from data thieves.”
The importance of information security protocols
When it comes to disposing of confidential information in a physical format, larger organisations are more inclined to have a formal policy for shredding documents prior to disposal compared to SMEs. Additionally, large organisations are three times (45 percent) more likely than SMEs (15 percent) to invest in external services for disposing of confidential information, with improved safety and security cited as the most common reason.
Additionally, whilst 82 percent of large organisations and 63 percent of SMEs claim to be auditing their organisation’s information security procedures or protocols at least once a year; a staggering one quarter of small business owners claim to be rarely or never doing this.
Implementing policies, such as a Clean Desk policy in the workplace, and ensuring staff are trained on these will ensure that staff are not leaving documents in plain sight whilst away from their desk and disposing of all sensitive information securely. However this is not a widespread practice, with only 23 percent of SMEs having a formal policy, compared to 48 percent of larger organisations.
“The Shred-it 2016 Security Tracker demonstrates the urgent need for all Australian businesses to closely evaluate their organisation’s policies and to implement protocols, such as a Clean Desk policy and Shred-it All policy, to ensure that their confidential information remains secure and they do not put themselves at risk of a damaging data breach,” White said.
A Shred-it All policy will ensure that all documents are securely destroyed on a regular basis, removing the decision on what should and should not be treated as confidential from individual employees. Implementing a Shred-it All policy strengthens information privacy and confidentiality and is one of the simplest and most effective ways to improve security and help prevent security breaches.
Further findings from the Shred-it 2016 Security Tracker
Lack of understanding and education among businesses on the broader implications of a data breach:
- The Security Tracker reveals that C-suite executives have a deeper comprehension of a data breach’s broader implications on the business, with only 3 percent believing that a data breach would not have a serious impact on their business.
- By contrast, 40 percent of small business owners said an information breach would not have a serious impact on their business despite data breaches costing Australian businesses an average of AU$2.82.
Businesses failing to understand the legal requirements concerning confidential information:
- The 2016 Shred-it Security Trackerunearthed worrying statistics that show low awareness among businesses of the legal requirements concerning confidential data. Fewer C-suite executives claimed to be ‘very aware’ of the legal requirements of storing, keeping or disposing of confidential data in their industry this year (52 percent in 2016 compared to 67 percent in 2015). In comparison SME’s have remained at a stable level of awareness year on year, with 43 percent very aware of their legal requirements in both 2015 and 2016.
- In addition, there also remains ambiguity across both large and small businesses over potential fines for lost confidential information under Australia’s Privacy Act. Worryingly, only 12 percent of SMEs are aware that there are financial costs associated with a data breach and even among C-suite executives this figure is below half (46 percent), suggesting a need for clarity of legal obligations for businesses.
Click HERE to view the Shred-it 2016 Security Tracker infographic
More action on information security is required from the Australian Government:
- Legislation is increasingly identified as having a critical role in information security. Half (53 percent) of SMEs rate the Government’s response to information security as mostly good, but feel they could do better, with an additional 26 percent claiming that improvements are needed.
- More C-suite executives claim a need for improvement in the Government’s commitment to information security this year (34 percent in 2016 compared to 19 percent in 2015).
- In addition, large organisations are also much more likely to say additional legislation would put pressure on their organisation to change their information security policies with 39 percent stating this is the case.
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients’ private information. A wholly-owned subsidiary of the US based professional services company Stericycle, Shred-it operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.com.au.