In the age of continuous change and evolution in business needs, the leaders need to establish a reliable system to assess their own policies and strategies regarding information security practices. For a fair share of growth in industries, businesses need to understand the risks across their organizations along with the best practices adopting for mitigating information security threats.

It’s hard to look over how year after year the number of security threats and frauds has continued to grow. For instance, North America has witnessed an incredible amount of security threats. The average cost for each stolen record is estimated between $200 and $300. More than the cost of the frauds, the effects of the frauds are severe. According to reports, reputational damages, loss in the number of customers, and the loss of time and resources to normalize the situation has significantly affected the businesses.

Studies and surveys revealed that a majority of C-suites executives accepted that their organizations recovered after six months from a security breach incident. Small business owners, more than half, believed that it took them longer, almost a year and more to catch up with the losses.

Table of Contents

Analysing the situation

The amount of data is constantly increasing at an enormous rate. Looking at the gradual shift of the workforce into the digital space, one cannot imagine job accomplishments without getting into a network. Time and resources are saved through technologies. Laptops, USBs, cloud storage, smartphones, smartwatches, the Internet of Things, big data, and countless more features of the technology are taking major positions in almost every business. It is obvious that most of the above-mentioned devices hold the private and confidential data of the organizations. These devices and tools are vulnerable to security threats if they are poorly managed and carelessly disposed of.

Electronic devices

Reports suggest that businesses often fail improper storage and later on the destruction of electronic devices. The C-suites and SBOs accept that poor management of devices occurs in their organizations. Around 56% of C-suites dispose of their electronics material containing private information in their homes while 46% destroy hard drives, USBs, and other electronic equipment with private data less than once a quarter. Thus allowing devices to stockpile in the office. Almost 59% of the SBOs destroyed their electronic materials with private data in their home, and 44% of SBOs do not destroy their hard drives, USB, and any other electronic device that contains private information.

Implementation of policies

Businesses of all sizes must consider that adopting a secure data protection policy and enacting it with the full priority can highlight the importance of data protection.

The C-suites have enacted the policies and the best practices. According to reports, 46% of SBOs do not have any policy for storing and managing the private data on devices and 50% do not have any policy for looking over the usage of electronic devices. In a situation where SBOs had a policy in place, it was observed that 41% of SBOs never provided training to the staff on the management of information security documents and policies.

The overall picture that these reports suggest is that lack of information security policies, training in staff, and practices have eventually lead to under-confidence in businesses of all sizes. It also reflects the poor information destruction systems and the perception of employees towards sensitive data management. More than half, 52% of SBOs and 48% of C-suites did not have the confidence in their current destruction systems for documents in physical and electronic form. These reports further suggest that there are enormous challenges in running an organization. It also suggests that prioritizing and planning are necessary for working in a digital workspace.

In the era where the business is evolving every day, it is important for organizations to realize that the information security risks are also increasing. This means that the sophistication in data theft and security attacks have also occurred. Thus, organizations need to modify, improvise, update their current existing procedures and implement stricter policies for everyone regarding business data.

Paper risks

Even though the offices are turning digital, paperwork remains a core part of the working methodology for many businesses. Reports suggest that 39% of C-suites predicted that the amount of paper used by their organization shall increase, whereas 52% of the SBOs anticipated that the volume of paper used will remain almost the same. Despite these, SBOs lacked the understanding of the risks associated with having documents and papers within their organization. The survey reveals that 32% of the SBOs believed that data theft of documents would not damage their organization, and 31% of data breaches would not cause serious impacts on their organization. These statistics are reflected in their action as 39% of SBOs have no policy for storing and shredding their confidential documents. Around 49% shredded all the documents despite the fact if they were confidential or not. A small percentage of 13% have locker console in their office premises, and they took third-party help for professional shredding of their documents.

Hard drive threats

Workplaces have plenty of machines that aid in document management. The printers, fax machines, photocopiers, flash drives, USBs, and similar electronic devices contain hard drives that have private data stored in them. Businesses having proper protocols for secure storage and destruction of hard drives can prevent themselves from physical theft of unwanted devices.

44% of SBOs have no policy in place for storage and disposal of hard drives and other similar electronic devices containing confidential data. Around 15% of SBOs destroyed these devices at least once a quarter and left the hard drives to stockpile in the office without being destroyed. Huge organizations in the US have detailed data protection policies than smaller businesses. However, the vulnerabilities are not reduced to zero in either business. Despite 96% of the businesses have a policy for managing, storing, and destroying electronic devices, very few C-suites are destroying the electronic Devices before disposing them of. The percentage of C-suites dropped from 76% in 2016 to 57% in 2017 who destroyed their electronic devices and hard drives every quarter or more frequently.

Poor management and storage of paper documents and electronic devices significantly increase the risk in a business. The average cost of a data breach is increasing every year. Businesses might be in a position to afford these losses, but the unavoidable losses such as reputation and trust of customers are inescapable.

Proper disposal and securing sensitive data is the best precaution against fraud and cyber-attacks. To prevent customer data loss, companies of all sizes, big or small, must proactively spend their time and resources to save themselves from the harsh outcomes.

Busting the Myths

The greatest challenge faced by businesses is to combat their preconceived notions and perceptions about information security. Poor knowledge of data security and myths can lead to incorrect assessment of threats, bad allotment of resources, and wrong priorities for data protection. In addition to that, lack of trained employees and outdated protocols for management of data can become lethal together with the myths that lead to breaches caused by errors of humans.

Surveys suggest that 25% of breaches in data in Canada and 23% of data breach incidents in the US over caused due to poor decision-making, human errors, and ignorance of the employees. Around 33% of the C-suites and 36% of SBOs in the US accepted that human error is a cause for data breaches. In Canada, 40% of C-suites and 42% of SBOs recognized human error as a source for data breaches.

Information security management protocols and training of the employees should go hand in hand at every phase of the business growth. Businesses of all sizes can improve their data security system by effective training on a priority basis. Around 48% of C-suites in the US train their employees once a year or even less about the information security policies adopted in their organization. 38% of SBOS do not train their employees at all at any stage. In Canada, 68% of C-suites trained their employees once a year or less about the information security protocols adopted by them, whereas 41% of SBOs did not train their employees ever.

By looking at these facts, it is clear that reducing the risk of breaches is related to human error and the tools used during work. One of the best ways to confirm information security is to ensure that all employees understand the document management, storage, and destruction protocols of confidential and non-confidential data. Only on implementation of comprehensive training programs, the employees can understand the culture of security and education in business.

Any advanced technology with the best information security management and protection features cannot mitigate the risks completely unless the working employees are fully aware of their roles and responsibilities in the organization regarding data security. Both- small and large businesses can manage sensitive data when they have debunked the security myths and understood the facts well. Only after serious thought to the current knowledge possessed by businesses and their leaders, decisions can be made in favour of customer data protection and the reputation of the industry.

Myth: It is safe to enter personal information on the website if the link comes from reputed and recognizable sources or individuals

Fact: This is the most common mistake committed by the employees of a business. The thieves and frauds utilize the identity of a known individual or agencies for impersonating themselves as banks and government agencies to access bank account information and credentials. These are commonly sent through very deceitful scam emails. They appear and are designed to look real that persuades the reader to provide corporate information. Use of words like please visit the website for more details and verify your identity by entering confidential data are used to trap the employees. It’s a lesson for all that no business or personal information should be entered anywhere without proper investigation about the source and credibility. According to experts, the readers should navigate the website via bookmarks and type on the website directly.

Myth: It is totally safe to dispose of company information in dustbins and recycle bins unless the paper is torn into pieces.

Fact: Document and paper recycling is a healthy practice for protecting the environment. However, open and exposed to recycle bins are an attractive invitation to the infiltrators and malicious insiders. These are the insecure spots from where the torn pieces of paper can be removed and rearranged for inferring important data. To prevent such risk of a data breach, there should be locked consoles available in the open spaces in the office. Every document before entering the recycle phase must be shredded to the tiniest bits using professional shredding techniques occasionally to maintain document protection policies. Also, it is an effective method to maintain balance with the environment by recycling paper.

Myth: Using smartphones and other devices at work is completely safe until it is password protected

Fact: It is unreasonable and unfeasible to disallow employees from using their own devices at work. Allowing employees to use their own devices can create greater flexibility and work comfort. But even if the personal devices are password protected or have strong security protocols, the devices should not be used for professional work. But if they are still used for professional jobs, they must be encrypted and made and readable to any outsider. In case the device is lost or stolen, the encryption will protect the private data is stored in the devices and automatically delete every single piece of data Present in the device. Bring your own device protocol should be adopted to protect the corporate systems.

Myth: Removing data from a hard drive with a magnet results in permanent deletion of information

Fact: Hard drives are resistant to magnets. The sophisticated technological advancement has led to better designing and performance of hard drives. The data on the hard drive is accessible even after it goes corrupt or a magnet is used over it. Only with a properly-designed physical destruction protocol in place, some assurance about the permanent data deletion can be given. Without physical destruction, employees might unknowingly expose confidential information to third parties that recycle or resell the electronic items. Physical destruction of hard drives can be carried out by taking assistance from a third party. Professionals must perform the secure and unrecoverable hard drive destruction.

Myth: It is safe to keep documents and working materials on the desk

Fact: It might seem harmless to place sheets of paper and private data documents on the working desk. However, it is highly disregarded to place confidential and sensitive information containing papers on the desk since it is vulnerable to physical theft. If the organizations implement a clean desk policy according to which all the documents after and before work should be placed in lockers and cabinets. By introducing this policy, the risks of fraud are reduced significantly. The employees are also aware of organization skills and decluttering the desk frequently. It can be encouraging for the employees to get appreciated for maintaining clean and sophisticated desks.

On failing to assure that the employees understand and follow the policies and protocols for information security, businesses put themselves at greater risk of reputation and customer loss. On prioritizing data protection, new growth opportunities can be achieved. It promotes an environment of discipline, trust, confidence, and development among the employees. So bust these myths and misinformation is today and take the path of security and establishment of faith.

Action-Reaction

Under the security legislation and data protection, higher authorities have the power to review your policies and procedures at any given time. You must keep yourselves up to date and meet the evolving data management requirements. Some of the policies that you should consider are-

  • Organize your data into confidential and non-confidential categories and store or securely destroy it according to your needs
  • Keep the accurate record of the data destroyed and is still preserved in the office for later destruction
  • Choose the methods for destruction appropriately, such as- physical destruction of electronic data in devices, destruction of equipment, destruction of paper documents with private data. Destruction of data if requested by a customer.

Other considerations worth mentioning are

  • Appointing a data protection officer for keeping a record of every data used and destroyed. It is a good practice to have a head person responsible for managing the information security in your organization.
  • Privacy impact assessments for the risk assessments and identification of vulnerable areas where private information could be at risk. By regular assessments, new strategies can be developed to prevent a major data breach.
  • Receiving notifications for a breach reported within 72 hours’ time frame is critical. Having a notification process can help in enacting the response plan on time and take immediate actions against the preachers.
  • Compliance training is the responsibility of all the employees working at different levels. Executives, managers, general workers should understand the importance of a secure environment.
  • Employees must also be trained about the legal implications of failed compliance and security protocols adopted by the organizations.
  • Seek legal help and eliminate any loopholes for a potential data breach. Learn about the GDPR and other privacy protection legislations to ensure a complete understanding of the legal requirements.

Every major part of the world with renowned businesses has its own security protocols and also compliant with the state legislations. Failing to comply can end up with harsh consequences of the organization and responsible individuals working in the offices. It’s not too late to start preparing now.

Legislations and Compliance

Globally, the new technologies have brought complex privacy and security risks for both individuals and organizations. Ultimately, all these increase the pressure on government agencies to ensure privacy legislation was in place and kept evolving as per the requirement of time.

Organizations must adapt to these government Legislations on privacy and ensure that their information security policies are aligned with the government protocols. The business leaders must understand the compliance requirements regarding storage, maintenance, and destruction of private information. Here is a summary of relevant regulatory updates in practice.

General data protection regulation GDP our established by the European Union is legislation governing privacy and security of personal data. Companies belonging to the European Union and working with the data of European citizens are compliant with these regulations. Any business organization that handles, processes, and stores European Union citizen's data without their physical presence is compliant with this legislation.

Data such as genetic information, health status, IP addresses, and similar personal information comes under GDPR.

Financial Penalties apply to organizations that fail to protect the customer data from a breach. The penalties could be equal to 2% of the annual global turnover of the organization or €20 million, whichever is higher.

The rights that are protected under GDPR include:

The right to be forgotten where businesses are not allowed to hold customer's personal information longer than the required time for fulfilling a purpose.

The right to restrict processing in which organizations will have to pause the processing of individual requests

Rights concerning automated decision-making and profiling where organizations will have human intervention in decisions regarding usage of individual data on individual request

Right to object where the individual can question the organization about the data usage and consent before marketing purposes.

Right to data portability in which the organizations require to provide details of their personal data structure format in case it is transferred to data controller on request.

What happens after a data breach?

Companies under the GDPR legislation must be compliant with all the rules and regulations. Any organization that comes under data breach must report the incident within 72 hours of becoming aware of it. Organizations have to provide details on the individuals whose confidential data was leaked and those who are at risk.

How EndoShred maintains Information security

EndoShred can be your third-party security partner since we meet every challenge that any organization can face with the growing amount of private data. With the latest and advanced information security services we ensure to protect your documents, build trust in your customers, and enhance your business.

We at EndoShred provide all the possible solutions for safeguarding the data, enhancing the reputation, and connecting more customers to your company. Partner with us to experience the management of confidential documents in simple and easy ways.

What do we provide?

  • Destruction of electronic devices like hard drives, compact discs, memory sticks, and other material having confidential data
  • Shredding of private information containing documents into tiny bits in a secure environment

How we assist in compliance with privacy laws?

When you decide to partner with us, you make the best decision. The methodology adopted by us is completely regulated according to the privacy laws.

  • We provide highly secured locker consoles for depositing confidential documents.
  • The trained professionals shred the confidential files in your organization in the securest way.
  • A certificate that guarantees 100% safe destruction is provided at the end of the process.
  • Anyone from the office who is reliable is welcome to watch the process happening on-site.

Benefits of partnering with us

  • Get rid of unwanted confidential files in the most secure manner.
  • Get awarded annually for following environment-friendly guidelines.
  • Save yourself from the mess of legal proceedings.

Why choose us?

Well trained officers for shredding

We have considerable experience of shredding for the companies in UAE. We are leading in this industry of information security due to the expertise we offer. The trained and well-informed officers execute the task of shredding documents on the spot/office premises. They are well-uninformed and know their business quite well. They shall collect the locked consoles and carry them towards the shredding truck. The entire process is done in a secretive way. You are welcome to watch the destruction happening.

All-rounder services

For us, it doesn’t matter if you are a small scale or a larger scale business. We consider document security as the primary concern. Any document or data that needs shredding, would be done by us with utmost dedication and sincerity. We have won the trust of hundreds of customers across the nation. The continued excellence in services that we provide makes us unique from the rest of the shredding companies.

Customer-friendly experience

We are 100% committed to serving you in the best possible ways. Our work is serious while our staff remains friendly at the same time. We take your permission and time to execute the processes of shedding. Our customers have had a very pleasant experience in the past. Due to the friendly behavior of our workers, the working environment becomes friendly too.

Ease in customization

We offer customers the services they wish to avail. There is a wide choice between the services that we provide. You can get rid of the documents, get rid of the electronic devices or the hard disk containing confidential data in very simple steps. Choose any of the shredding methods according to the data you wish to get rid of.

Schedule the shredding

We are just a call away. You can choose any date and any time as per your convenience and schedule. We send the shredding trucks to the workplace whenever required. The volunteers along the truck are available as per your need. You can book the date and time whenever you feel the need to get rid of the confidential trash.

Sources:

All of the statistics provided (unless otherwise stated) are from the Shred-it 2017