Many Canadian businesses are not using recommended tech tools and practices to protect customers’ personal data, according to a survey commissioned by the Privacy Commissioner of Canada.
Nearly half of Canadian businesses that handle customers’ personal information in digital form fail to use appropriate tools and practices to protect sensitive data, according to a survey commissioned by the Office of the Privacy Commissioner of Canada.
In a poll that covered 1,006 companies from various industries across the country, the commission found that a “vast majority” of businesses use passwords to protect personal data stored in digital devices. However, “many do not ensure that passwords are difficult to guess or that their employees change them regularly – two practices that can really help thwart online crime,” said Federal Privacy Commissioner Jennifer Stoddart.
The survey also showed that 50 per cent of companies that stored personal information on portable devices such as USB sticks and tablets do not use encryption. The survey was conducted by opinion and market research firm Phoenix Strategic Perspectives Inc. and is considered to be accurate to within +/- 3.1 per cent 19 times out of 20. Click here for the complete survey.
Personal data cull
A vast majority of the firms surveyed (93 per cent) collect contact information such as names, phone numbers and addresses.
More than 68 per cent collect location information such as postal codes. Businesses also gather other types of customer data such as financial information (39 per cent), opinions, evaluations and comments (24 per cent), purchasing habits (17 per cent) and medical information (10 per cent).
Nearly 66 per cent of these companies store customers’ personal information in paper records, while 55 per cent store such information on desktop computers and 47 per cent use on-site servers.
Of those firms that use portable devices to store customers’ personal information, only 44 per cent use encryption to protect such information.
As much as 23 per cent keep customers’ personal information in portable devices such as laptops, USB sticks, and tablet devices. A much smaller number (eight percent) have moved these types of data into cloud computing systems. About seven per cent of the respondents said they were using third party cloud storage providers.
Tech tools used to ensure privacy protection
The businesses surveyed reported using a number of methods to protect the personal information of their clients.
- Tech tools, such as passwords, encryption or firewalls (73 per cent)
- Physical measures, such as locked filing cabinets, restricted areas or security alarms (72 per cent)
- Organizational controls, such as policies and procedures (51 per cent)
Of the businesses that said they use technology-based tools to protect data, 96 per cent use passwords, 79 per cent use firewalls and 43 per cent use encryption.
About 55 per cent of respondents said they have controls to ensure that employees use “hard-to-guess passwords.”
In the case of requiring employees to change their password, response from business was all over the map:
- Monthly -16 per cent
- Quarterly – 17 per cent
- Every six month – 10 per cent
- Yearly – 12 per cent
- Less than year – 7 per cent
- No change required – 27 per cent
Misconceptions surrounding encryption tools may be behind the reticence of some businesses to use the technology according to Privacy Commissioner Stoddart.
There are some unfounded myths which say encryption software slows don systems or are overly complicated and expensive, she said.
“It takes a bit of time to initially encrypt your files, but the impact on day-to-day functions is almost nothing,” Stoddart said.
Encryption has evolved to become more affordable as well, according to a technology analyst.
There is no shortage of easy to use, inexpensive mobile security tools in the market today, says James Quin, lead research analyst at consultancy firm Info-Tech Research Group, in London, Ont.
“Commercial encryption software can be purchased for as low as $50 to $80,” Quin said.
“The real issue is lack of user awareness and education,” he said.