Human error seen as leading cause of information security breaches for small businesses: Canadian survey

Not enough small businesses in Canada are implementing training programs and establishing protocols to help employees recognize risks to information security despite staff awareness and errors being among the biggest threats, suggest results of Shred-it’s 2016 Security Tracker Survey.

Canadian C-suite executives and small business owners (SBOs) from the survey recognize employee lack of knowledge and human error concerning information security protocols are the biggest threats to their companies in the future, cited by 41% and 47%, respectively.

About a third, 31%, of surveyed C-suite executives report that they train employees more than once a year on their industry’s legal compliance requirements and 39% of SBOs never conduct compliance training with employees, notes a statement from Shred-it, which provides information destruction services to ensure security and integrity of clients’ private information.

Results further show 39% of SBOs never train employees on their company’s information security procedures, 31% only do it on an ad-hoc/as-needed basis, and 47% only audit their policies every few years or less, the statement notes.

Even so, Shred-it reports in the statement, businesses are not prioritizing employee training and auditing on company information security procedures and industry legal requirements.

Businesses should consider training as an ongoing process to keep risks top-of-mind among employees and ensure the information security policies and procedures are being followed, the company recommends. [click image below to enlarge]

Still, just 57% of C-suite executives and 43% of SBOs in the sixth annual survey have a protocol for storing and disposing of confidential paper data that is strictly adhered to by all employees, and 61% of C-suite executives and 40% of SBOs have a protocol addressing electronic devices that is strictly adhered to by all employees.

“With little training on information security procedures, employees are forced to make the decision as to what is and what isn’t considered confidential,” says Andrew Lenardon, global director of Shred-it. “Should they make an error in judgment, the organization can unintentionally be exposed to serious information security issues and the potential for fraud,” Lenardon cautions.

“By failing to ensure employees understand and follow security policies, Canadian businesses are putting their organization and reputations at-risk by exposing valuable customer, employee and business data,” he says.

“Training and auditing is a critical part of every information security plan and are vital in reducing data breaches,” Lenardon adds.

Other survey results include the following:

• only 28% of SBOs identify having a policy that requires all paper documents to be shredded and 33% have no policy in place;
• 53% of SBOs do not require employees to clear their desk of all documents when they leave their workstation for an extended period (loose paperwork and a messy desk are an easy target for theft); and
• 37% of Canadian C-suite executives and 38% of SBOs dispose of electronic confidential data by wiping and degaussing hard-drives in-house (the method does not ensure data stored on the hard drive is inaccessible and employees can be accidentally exposing confidential information when old hard-drives are sent to be recycling or reused).

Results are based on a quantitative online survey – conducted by Ipsos, with the fieldwork done in mid- to late March – of 1,000 small business owners in Canada and 100 C-suite executives working for businesses in Canada with at least 100 employees. The SBO sample is considered accurate to within +/- 3.5 percentage points; the C-suite sample is accurate to within +/- 11.2 percentage points.