A new survey conducted by global research firm Ipsos for information security company Shred-It finds that U.S. business leaders, especially small business owners (SBOs), are “unprepared” for the increased threat to information security that comes with “flexible office environments” and more mobile workforces.
According to the 2016 Shred-it Security Tracker survey, with the number of mobile workers in the US expected to reach 105 million by 2020, the greater use of information technology “tools” such as laptops, USB flash drives, and smart phones, plus access to cloud storage networks out of the “traditional” office environment experience far higher cyber threat risks levels.
The survey of over 1,110 executives determined that that a majority of C-Suite executives (92%) and just over half of SBOs (58%) have at least some employees using a flexible/offsite working model. Yet only 31% of C-Suite Executives and 32% of SBOs said they have an information security policy for both off-site work environments and flexible working areas in place.
"Without ongoing training and comprehensive policies for remote and flexible workplaces, businesses are at risk," noted Andrew Lenardon, global director for Shred-it, in the report. "Although employees want increased flexibility and the ability to work remotely, business leaders must ensure that the right information security and training protocols are in-place to protect confidential customer and business data."
While larger U.S. organizations are incorporating more security protocols for remote workers, the survey found that small businesses have room to improve how they are destroying and storing digital data.
SBOs are more likely to wipe/degauss electronic devices in-house (37%), which inadvertently risks exposing the confidential data stored on the hard drive when the device is sent to be recycled or reused.
In contrast, their C-Suite counterparts follow the best practices for data destruction and almost half (47%) use a professional destruction service to dispose of their unneeded electronic material, the report said.
Regularly destroying hardware is another important part of device management as legacy hardware stockpiled and stored in the office is a risk for theft, Lenardon said
However, 60% of SBOs only dispose of hard drives, USBs, and other electronic devices containing confidential information less than once a year or never. Comparatively, a majority of C-Suite Executives (76%) indicate their businesses destroy hardware every two to three months - or more frequently, he pointed out.
"The only proper way to protect information is to physically destroy the hard drive - simply wiping the device does not ensure sensitive information is completely removed," Lenardon emphasized. "Implementing security policies that address how digital devices are stored and destroyed is vital for any sized organization to help address the additional risks associated with mobile working."
Yet he warned that while C-Suite executives are focused on electronic device and data destruction, they must not become complacent with the storage and destruction of paper documents as their employees are no longer tied to the traditional office.
For example, only some 46% of C-Suite executives in Shed-it’s 2016 report said they maintain protocol for destroying confidential documents adhered to by all employees; a dramatic drop from 2015, when 63% of those executives said they maintained such protocols.
On top of that, 40% of SBOs report having no employee directly responsible for managing data security. “While it is important to have senior management and leadership play a vital role in mitigating data breaches, engaging employees from all levels and cross-departments helps strengthen an organization's focus and commitment on information security,” Lenardon said.
He went on to highlight seven simple workplace guidelines businesses of any size can follow to ensure mobile workers maintain cyber security:
- Don’t leave hardware (laptops, USBs, etc.) or materials in vehicles, hotels, coffee shops or elsewhere.
- Limit the type of documents that employees can remove from the office, as there is no way to ensure data is secured when outside of the company's control
- Encrypt all phones and hard drives, plus activate passwords on electronic devices.
- Perform a regular cleaning of storage facilities and avoid stockpiling obsolete electronic devices
- Destroy all unused hard drives using a third-party provider who has a secure chain of custody and confirms destruction.
- Regularly review your company’s information security policy to incorporate new and emerging forms of electronic media.
- Schedule on-going training so employees understand best practices for protecting confidential information – in and out of the workplace.
“Data anxiety among small business owners results from not having adequate resources to properly manage information security,” added Bruce Andrew, Shred-It’s senior vice president. “While the threat of an information security breach is an increasingly widespread problem for businesses of all sizes, it is especially prevalent for small businesses.”
He noted for example that a Ponemon Institute survey found that 55% of small businesses have had at least one data breach and 53% of those businesses had multiple breaches.
Yet the 2016 Security Tracker report indicated that while 85% of small business owners are aware of their legal requirements concerning confidential data, less than half have a protocol in place that is followed by all employees.
"Most small businesses don't know where to start when it comes to information security,” Andrew said. “While many small businesses owners are aware that data breaches are legally and financially damaging, they are overwhelmed when it comes to setting rules and implementing information security protocols. Ensuring there are preventative measures in-place is the best way to combat data anxiety and protect businesses from information theft and data breaches and their consequences."