Shred-it’s 2019 Data Protection Report reveals more than half of all large U.S. businesses who suffered a breach say it was a result of external vendor errors.

Lake Forest, IL – With the incidence of reported data breaches on the rise, more than half of all C-suite executives (C-Suites) (53%) and nearly three in 10 Small Business Owners (SBOs) (28%) who suffered a breach reveal that human error or accidental loss by an external vendor/source was the cause of the data breach. That is according to Shred-it’s Ninth Annual Data Protection Report (formerly known as “The Security Tracker: State of the Industry Report”), which exposes information and data security risks currently threatening U.S. enterprises and small businesses and includes findings from a survey conducted by Ipsos.

When assessing additional causes of data breaches, the report found that nearly half of all C-Suites (47%) and one in three SBOs (31%) say human error or accidental loss by an employee/insider was the cause. What’s more, one in five C-Suites (21%) and nearly one in three SBOs (28%) admit deliberate theft or sabotage by an employee/insider was the cause of the data breach, compared to two in five C-Suites (43%) and one in three SBOs (31%) who say deliberate theft or sabotage by an external vendor/source caused their organization to suffer a data breach.

“For the second consecutive year, employee negligence and collaboration with external vendors continues to threaten the information security of U.S. businesses,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions. “New to this year however, is that the report revealed how deliberate sabotage by both employees and external partners are very real risks organizations face today. The consequences of a data breach are extensive and are not limited to legal, financial and reputational damage. As the report showed, data breaches can affect employee retention too.”

While the result of a data breach can have a variety of consequences on U.S. businesses, one of the most important factors is that a breach has an immediate effect on employee trust in an organization. In fact, one-third (33%) of the U.S. workforce say they would likely look for a new job if their employer suffered a breach of customer (31%) or employee data (35%). What’s more, while nearly half of all consumers (47%) would wait to see how a business reacts to a data breach they’ve suffered before making up their mind about what to do, nearly one in four consumers (23%) would stop doing business with the company and nearly one-third (31%) would tell others about the breach.

Additional findings from the report include:

Lack of training leaves employees unaware of information security policies and procedures.

• When asked if their organization has a known and understood policy for storing and disposing of confidential paper documents, one in five (21%) of C-Suites admit they have a policy but that not all employees are aware of it and more than one in 10 (12%) of SBOs said the same.
• Three in 10 (30%) of SBOs admit that no policy exists for storing and disposing of confidential paper documents.
• When it comes to understanding policies for storing and disposing of end-of-life electronic devices, one in five C-Suites (21%) and SBOs (12%) say they have a policy, but not all employees are aware of it. Four in 10 (42%) SBOs say no policy exists in their organization.

U.S. businesses acknowledge remote work is important to employees, but worries of a data breach grow.

• 94% of C-Suites and 79% of SBOs agree with the statement that they believe the option to work remotely is going to become increasingly important to their employees in the next 5 years.
• However, 88% of C-Suites and 69% of SBOs agree with the statement that the risk of a data breach is higher when their employees work off-site than it is when they work at the office.
• One in six (16%) working Americans say their organization has suffered a data breach, at some point in the past.

Despite investments in digital security, U.S. businesses remain vulnerable due to lack of information and cyber security training.

• Of the money their organization spends on data security, C-Suites say 59% is spent on digital security and 41% on physical document security, on average. SBOs say 56% is spent on digital security and 44% on physical document security, on average.
• One in 10 C-Suites (10%) and nearly one in 10 SBOs (9%) say they train their staff only once during their employment on their organization’s information security policies and procedures.
• Although the majority of C-Suites (88%) regularly train employees on how to identify common cyber-attack tactics such as phishing, ransomware, or other malware (malicious software), however, only slightly more than half of SBOs (52%) say the same.
• Around three in five (58%) working Americans have been targeted by phishing email or social engineering scams at work, of which eight percent (8%) claim to have been victimized by them.

Americans think their personal data and information is less secure than it was 10 years ago.

• Consumer confidence in data security is low with more than half (60%) believing their personal data and information is less secure than it was 10 years ago.
• With those concerns, it’s no surprise that 83% of consumers say digital data security is a top priority when choosing who to do business with.
• Additionally, nearly seven in 10 consumers (66%) do not trust that all digital data breaches are properly disclosed to consumers and not kept secret.

Links:
Shred-it