Shred-it Study Finds U.S. Business' Information Security Plagued by Human Error, Insider Threats, and Deliberate Sabotage

With the incidence of reported data breaches on the rise, more than half of all C-suite executives (C-Suites) (53%) and nearly three in 10 Small Business Owners (SBOs) (28%) who suffered a breach reveal that human error or accidental loss by an external vendor/source was the cause of the data breach. That is according to Shred-it's Ninth Annual Data Protection Report (formerly known as "The Security Tracker: State of the Industry Report"), which exposes information and data security risks currently threatening U.S. enterprises and small businesses and includes findings from a survey conducted by Ipsos.

When assessing additional causes of data breaches, the report found that nearly half of all C-Suites (47%) and one in three SBOs (31%) say human error or accidental loss by an employee/insider was the cause. What's more, one in five C-Suites (21%) and nearly one in three SBOs (28%) admit deliberate theft or sabotage by an employee/insider was the cause of the data breach, compared to two in five C-Suites (43%) and one in three SBOs (31%) who say deliberate theft or sabotage by an external vendor/source caused their organization to suffer a data breach.

While the result of a data breach can have a variety of consequences on U.S. businesses, one of the most important factors is that a breach has an immediate effect on employee trust in an organization. In fact, one-third (33%) of the U.S. workforce say they would likely look for a new job if their employer suffered a breach of customer (31%) or employee data (35%). What's more, while nearly half of all consumers (47%) would wait to see how a business reacts to a data breach they've suffered before making up their mind about what to do, nearly one in four consumers (23%) would stop doing business with the company and nearly one-third (31%) would tell others about the breach.

Additional findings from the report include:

Lack of training leaves employees unaware of information security policies and procedures.

• When asked if their organization has a known and understood policy for storing and disposing of confidential paper documents, one in five (21%) of C-Suites admit they have a policy but that not all employees are aware of it and more than one in 10 (12%) of SBOs said the same.
• Three in 10 (30%) of SBOs admit that no policy exists for storing and disposing of confidential paper documents.
• When it comes to understanding policies for storing and disposing of end-of-life electronic devices, one in five C-Suites (21%) and SBOs (12%) say they have a policy, but not all employees are aware of it. Four in 10 (42%) SBOs say no policy exists in their organization.

U.S. businesses acknowledge remote work is important to employees, but worries of a data breach grow.

• 94% of C-Suites and 79% of SBOs agree with the statement that they believe the option to work remotely is going to become increasingly important to their employees in the next 5 years.
• However, 88% of C-Suites and 69% of SBOs agree with the statement that the risk of a data breach is higher when their employees work off-site than it is when they work at the office.
• One in six (16%) working Americans say their organization has suffered a data breach, at some point in the past.

Despite investments in digital security, U.S. businesses remain vulnerable due to lack of information and cyber security training.

• Of the money their organization spends on data security, C-Suites say 59% is spent on digital security and 41% on physical document security, on average. SBOs say 56% is spent on digital security and 44% on physical document security, on average.
• One in 10 C-Suites (10%) and nearly one in 10 SBOs (9%) say they train their staff only once during their employment on their organization's information security policies and procedures.
• Although the majority of C-Suites (88%) regularly train employees on how to identify common cyber-attack tactics such as phishing, ransomware, or other malware (malicious software), however, only slightly more than half of SBOs (52%) say the same.
• Around three in five (58%) working Americans have been targeted by phishing email or social engineering scams at work, of which eight percent (8%) claim to have been victimized by them.

Americans think their personal data and information is less secure than it was 10 years ago.

• Consumer confidence in data security is low with more than half (60%) believing their personal data and information is less secure than it was 10 years ago.
• With those concerns, it's no surprise that 83% of consumers say digital data security is a top priority when choosing who to do business with.
• Additionally, nearly seven in 10 consumers (66%) do not trust that all digital data breaches are properly disclosed to consumers and not kept secret.

About the 2019 Data Protection Report
Shred-it commissioned Ipsos to conduct a quantitative online survey of Small Business Owners (SBOs) in the United States (n=1,000), with fewer than 100 employees and C-Suite Executives in the United States (n=100) with a minimum of 500 employees. Data for Small Business Owners is weighted by region. Data for C-Suite Executives is unweighted as the population is unknown. The precision of Ipsos online surveys is calculated via a credibility interval.  In this case, the U.S. SBO sample is considered accurate to within +/- 3.5 percentage points had all U.S. small business owners been surveyed, and the U.S. C-Suite sample is accurate to within +/- 11.2 percentage points had all US C-Suite Executives been surveyed. The fieldwork was conducted between March 26th and April 1st, 2019.

In addition to the quantitative online survey, Ipsos conducted a short omnibus survey among a gen pop sample of n=2,014 Americans about data protection and security. The credibility interval for this sample group is +/- 2.5 percentage points, 19 times out of 20, of what the results would have been had all adults in the U.S. over the age of 18 been surveyed.