Do strong cybersecurity practises prevent all data breaches? Not according to a new study from Shred-it and the Ponemon Institute.
The recent major data breaches in Canada have led many to put a lot more focus into cybersecurity for their companies, but the study from Shred-It outlines how a lack of physical security can also lead to data breaches and many people seem to have forgotten about it.
“Everything is online. So all of the resources get put towards methods to make sure that our internets are secure. Because of that, everybody does forget that there are uses for paper,” said Preet Saini, the manager of Stericycle, who are a provider of Shred-it products, said in an interview with ITbusiness.ca. “Increasingly, because we think we are doing a lot of things online, we forget about those smaller instances where we have to engage with physical documents or physical information. And there just aren’t enough protocols in place to make sure that those are properly taken care of.”
Often times, data breaches due to a lack of physical security are caused by simple negligence and common workplace behaviors, as opposed to malicious attacks, said Saini. The main culprits according to the study are not properly disposing of unused hard drives and devices, sending email to the wrong recipient (88 per cent surveyed said they have received such an email with confidential information), or leaving paper documents with confidential information around without properly disposal methods or storing it in a secure location (71 per cent of managers surveyed said they have encountered this).
What would appear to some as minute issues, can actually cause serious issues. In fact, the study shows that a staggering two out of three businesses in Canada have experienced a data breach over the last year, a stat that Saini said does not surprise him, mostly because of the lack of effort put into physical security.
“It wasn’t necessarily surprising, mainly because… with the digitization of the world happening, we’ve noticed that companies more and more are starting to neglect paper documents,” said Saini. “And unfortunately, it’s employee negligence that’s caused the main core of data breaches happening.”
And that negligence could be corrected by proper awareness training, said Saini.
“The biggest core reason behind the employee negligence is lack of training. Key members don’t know what they’re supposed to be spreading or what emails they can send or what data they should or should not have access to. People just don’t know what they don’t know. So there’s a lack of training.”
In addition to a lack of training, Saini said he sees a lack of proper regulations or a lack of communication of those regulations being instituted by companies, which furthers the confusion that employees are experiencing regarding confidential information.
“It’s going to happen when it’s a larger organization. Training and policies are not trickled down effectively from the top,” said Saini. “So when their training and policies are not communicated effectively, it’s tough for managers to roll that out to their team. Therefore there is a loss in confidence in them.”