Secure Disposal Remains Elusive for Documents of All Stripes
The paperless office movement has hit a roadblock, as US businesses ramp up their use of physical documents. Secure data disposal however isn’t following suit—and continues to lag for electronic disposal as well.
According to the seventh annual Shred-it Information Security Tracker Survey, conducted by Ipsos, 39% of C-suite executives anticipate an increase in the volume of paper their organization will use over the next year. Meanwhile about half (52%) of small business owners (SBOs) anticipate no reduction in the volume of paper they use. And across the board, there seems to be a lack of understanding of the vulnerabilities a lingering paper trail can create within an organization.
The Security Tracker survey reveals that 32% of SBOs believe that the loss or theft of documents would cause no damage to their organization, and 31% think a data breach wouldn’t significantly impact their business. Their actions reflect this lack of concern—39% of SBOs have no policy in place for storing and disposing of confidential paper documents. Additionally, only a small percentage (13%) have a locked console in the office and use a professional shredding service to destroy confidential documents.
On the flip side, about half (49%) shred all documents, regardless of whether considered confidential or not.
Unlike their smaller counterparts, most larger US organizations have implemented policies that address confidential data in all forms. However, their practices continue to leave the door open for fraud, especially when it comes to the secure storage and destruction of electronic devices and hard drives. Although 96% of large businesses have a policy in place to store and destroy electronic devices, fewer C-level executives than ever before are disposing of electronic devices on a regular basis. The percentage of C-suite respondents who dispose of electronic devices, including hard drives, on a quarterly basis or more frequently has gone down from 76% in 2016 to 57% in 2017.
“Whether it be on lingering paper documents or electronic devices, properly disposing of or securing sensitive information is the best way for a business to protect their customers, their reputation and their people,” said Kevin Pollack, senior vice president at Shred-it. “Companies of all sizes need to start taking proactive measures to ensure their employees are trained on destruction procedures, that sensitive information is stored securely, and that they’re mitigating information security threats by disposing of paper and electronic devices in a timely fashion.”
Ultimately, these security shortfalls have led to a lack of confidence in both small and large businesses.
Confidence in current secure destruction systems for both paper and electronic media is low, with 43% of C-level executives and 46% of SBOs reporting that they feel less than very confident.
“Additional factors contributing to low confidence may include a lack of employee knowledge of the legal requirements in their industry, or a lack of training on company policies for the disposal, destruction, and storage of confidential and non-confidential information,” the report said.
In fact, only about half of all C-Suites (51%) train their employees on legal requirements at least twice a year and 36% of SBOs never train their employees at all.
Breaking the results down on a vertical basis, practices are a mixed bag, with the financial industry looking the strongest.
When asked if they had a strong understanding of legal requirements for storing, keeping, or disposing of confidential information, 88% of finance/legal/insurance executives claimed they do. Training of staff on company’s information security procedures is highest here as well, at 81%.
In contrast, when asked to rate their understanding of the legal requirements for storing, keeping, or disposing of confidential information, 19% of respondents in the real estate industry said they have “some understanding of the requirements and somewhat adhere to them, but not on a daily basis.” A quarter (26%) of respondents said no policy exists for storing and disposing of confidential information on electronic devices.
Retail results were marginally better, although only 12% of respondents in the retail space said they use a locked console and a professional shredding service. When asked if they had a strong understanding of legal requirements for storing, keeping or disposing of confidential information, 65% of retail executives said they do.
Meanwhile, 23% of respondents in the business services industries said they have “some understanding of the requirements and somewhat adhere to them, but not on a daily basis.” Yet a quarter (24%) of respondents in the business services industries said no policy exists for storing and disposing of confidential paper documents.
And finally, about a fifth (21%) of respondents in the public services industries said no policy exists for storing and disposing of confidential paper documents, and 28% said no policy exists for storing and disposing of confidential information on electronic devices.
Source: Information Security Magazine