About half of Canadian small business owners and C-suite execs not confident in secure destruction systems for paper or electronic media: survey

Just over half (53%) of Canadian small business owners (SBOs) and just under half (48%) of C-suite executives don’t feel confident about their current secure destruction systems for paper or electronic media, according to the seventh annual Shred-it Information Security Tracker Survey.

The Shred-it survey, conducted by Ipsos, found that Canadian businesses might not be keeping up with the complex privacy and security risks associated with an evolving workplace environment, and they know they’re falling behind, Shred-it said in a press release on Wednesday. As well, Canadian businesses have “few or no policies for managing electronic devices,” the release pointed out.

The survey involved a quantitative online poll of two distinct sample groups: SBOs in Canada (n=1,001) and C-suite executives working for businesses in Canada with a minimum of 100 employees (n=100). For this study, the SBO sample is considered accurate to within +/- 3.5 percentage points had all small business owners been surveyed, and the C-suite sample is accurate to within +/- 11.2 percentage points had all C-suites been surveyed.

When it comes to the use of electronic devices in small businesses, the survey revealed a striking gap between what SBOs perceive to be their greatest security risk and the current data protection policies they have in place. Sixty per cent of SBOs polled perceived their biggest information security risk in the next five to ten years to be either online threats (29%), cloud computing (16%) or the paperless office (15%) – all of which originate from electronic media. More concerning, the release said, is that 46% of SBOs don’t have a policy in place for disposing of confidential data found on electronic devices. And 50% of SBOs have no policy in place at all for governing the use of electronic devices in their business. For those small businesses that have a practice for disposing of data found on electronic devices, the majority (59%) wipe or dispose of their electronic materials containing confidential information in-house.

“Even if information on an electronic device is erased, reformatted or wiped, it’s not always enough to protect confidential information,” warned Paul Saabas, Shred-it’s vice president. “Destroying the device’s hard drive is the only way to ensure the information is unrecoverable. One of the best things any business can do to protect its customers over the long term is establish good data protection policies right from the start, which include securely and permanently destroying obsolete hard drives.”

Contrary to their small business counterparts, a significant majority (87%) of C-suites work at organizations that have a policy in place for the use of electronic devices in their workplace, the release noted. However, these measures are incomplete: 44% don’t have a policy in place that is strictly adhered to and known by all employees for disposing of confidential data found on those electronic devices. And 47% don’t require electronic devices to be both encrypted and password protected.

Furthermore, while 92% of C-Suites recognize that it is either very important or somewhat important to have an external provider for hard drive destruction, over half (56%) of C-Suites wipe or dispose of their electronic materials containing confidential information in-house.

“Without policies governing the use and destruction of electronic devices, Canadian businesses put their organization and reputations at risk by exposing sensitive customer, employee and business data,” says Saabas. “While it’s true that small businesses face different resource challenges than larger businesses, there are simple and low-cost best practices that all businesses should implement regardless of size.”

The survey also found that the lack of confidence Canadian businesses have in their own data destruction systems is coupled with a lack of confidence in the Canadian government’s commitment to information security: only 12% of SBOs and 31% of C-Suites think the government is doing an excellent job. While there may be a greater role for government in information security (52% of C-Suites say that strict financial penalties for not adhering to document destruction legislation would put pressure on their organization to change its policies), it is the onus of businesses to protect their customers, their employees and themselves from data breaches.

To help protect sensitive information on electronic devices, Shred-it offers five “simple and low-cost” guidelines for businesses of all sizes:

• Regularly clean out storage facilities and avoid stockpiling unused hard drives;
• Destroy all unused hard drives using a third-party provider that has a secure chain of custody to offer peace of mind and ensure data is kept out of the hands of fraudsters;
• Manage mobile devices by requiring that devices be signed out whenever they are taken out of the office. Put additional privacy safeguards in place such as requiring an authentication to unlock a device and teaching employees to never leave equipment unattended;
• Encrypt all electronic devices to make digital information unreadable. If lost or stolen, encryption will help protect the confidential information stored on the device and mitigate any compromising activity; and
• Use password management tactics including multi-factor authentication, a password manager for generating and storing passwords, and a log-in abuse detection system.