U.S. Business’ information security plagued by human error, insider threats, and deliberate sabotage

June 17, 2019

A 2019 Data Protection Report reveals more than half of all large U.S. businesses who suffered a breach say it was a result of external vendor errors. With the incidence of reported data breaches on the rise, more than half of all C-suite executives and nearly three in 10 Small Business Owners (SBOs) who suffered a breach reveal that human error or accidental loss by an external vendor/source was the cause of the data breach, according to a summary of Shred-it's ninth annual Data Protection Report (formerly known as “The Security Tracker: State of the Industry Report”), which exposes information and data security risks currently threatening U.S. enterprises and small businesses. The report also includes findings from a survey conducted by Ipsos.

“For the second consecutive year, employee negligence and collaboration with external vendors continues to threaten the information security of U.S. businesses,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions, in the statement. “New to this year however, is that the report revealed how deliberate sabotage by both employees and external partners are very real risks organizations face today. The consequences of a data breach are extensive and are not limited to legal, financial and reputational damage. As the report showed, data breaches can affect employee retention too.”

When assessing additional causes of data breaches, the report found that nearly half of all C-Suites (47 percent) and one in three SBOs (31 percent) say human error or accidental loss by an employee/insider was the cause. Also, it found that one in five C-Suites (21 percent) and nearly one in three SBOs (28 percent) admit deliberate theft or sabotage by an employee/insider was the cause of the data breach, compared to two in five C-Suites (43 percent) and one in three SBOs (31 percent) who say deliberate theft or sabotage by an external vendor/source caused their organization to suffer a data breach.

While the result of a data breach can have a variety of consequences on U.S. businesses, one of the most important factors is that a breach has an immediate effect on employee trust in an organization. In fact, one-third (33 percent) of the U.S. workforce say they would likely look for a new job if their employer suffered a breach of customer (31 percent) or employee data (35 percent). What’s more, while nearly half of all consumers (47 percent) would wait to see how a business reacts to a data breach they’ve suffered before making up their mind about what to do, nearly one in four consumers (23 percent) would stop doing business with the company and nearly one-third (31 percent) would tell others about the breach.

Additional findings from the report include:

·  Lack of training leaves employees unaware of information security policies and procedures.

·  When asked if their organization has a known and understood policy for storing and disposing of confidential paper documents, one in five (21 percent) of C-Suites admit they have a policy but that not all employees are aware of it and more than one in 10 (12 percent) of SBOs said the same.

· Three in 10 (30 percent) of SBOs admit that no policy exists for storing and disposing of confidential paper documents.

· When it comes to understanding policies for storing and disposing of end-of-life electronic devices, one in five C-Suites (21 percent) and SBOs (12 percent) say they have a policy, but not all employees are aware of it. Four in 10 (42 percent) SBOs say no policy exists in their organization.

· 94 percent of C-Suites and 79 percent of SBOs agree with the statement that they believe the option to work remotely is going to become increasingly important to their employees in the next 5 years.

· However, 88 percent of C-Suites and 69 percent of SBOs agree with the statement that the risk of a data breach is higher when their employees work off-site than it is when they work at the office.

· One in six (16 percent) working Americans say their organization has suffered a data breach, at some point in the past.

· Of the money their organization spends on data security, C-Suites say 59 percent is spent on digital security and 41 percent on physical document security, on average. SBOs say 56 percent is spent on digital security and 44 percent on physical document security, on average.

· One in 10 C-Suites (10 percent) and nearly one in 10 SBOs (9 percent) say they train their staff only once during their employment on their organization’s information security policies and procedures.

· Although the majority of C-Suites (88 percent) regularly train employees on how to identify common cyber-attack tactics such as phishing, ransomware, or other malware (malicious software), however, only slightly more than half of SBOs (52 percent) say the same.

·  Around three in five (58 percent) working Americans have been targeted by phishing email or social engineering scams at work, of which eight percent (8 percent) claim to have been victimized by them.