Businesses remain ill-prepared to meet information security challenges

Businesses in Australia need to lift their game if they are to meet the high expectations of their customers around information security.

That is the message from the 2018 Shred-it State of the Industry Report which identifies a disconnect between the expectations consumers have of service providers when it comes to managing their personal information securely, and the level of preparedness of these organisations.

The annual study exposes information and data security risks currently threatening Australian enterprises and small businesses and includes survey findings from the Shred-it Security Tracker.

The last year has been a turbulent one with a number of consumer data breaches or mishandling of personal information, such as Cambridge Analytica, and growing concerns about privacy. “In this environment, business leaders need to reassess how they protect their customers and organisation from potential security risks and breaches,” says Tom Bell, Country Manager, Shred-it Australia.

The research also surveyed consumers and showed that the vast majority of Australians feel that data protection is extremely important when making decisions about choosing service providers in key industries, such as banking (93 percent), mobile or internet (89 percent), legal (87 percent) and health care (84 percent).

Alarmingly, the report  highlighted a lack of understanding among businesses around legislative requirements and a need for organisations to invest more time and resources to equip their staff to adequately protect confidential information in an evolving workplace.

Despite their legal obligations, only 50 percent of all respondents have a strong understanding of these requirements. When it comes to having policies for storing and disposing of confidential data on electronic devices, only 32 percent have a policy that is strictly adhered to and 50 percent have no policy at all.

Even when an organisation has in place comprehensive policies, these are only effective if employees are confident and diligent in their application. Yet, mirroring a lack of procedures, training is not being done adequately.

Across the board only 55 percent train their staff on information-security procedures or policies. Seventy-two percent of SBOs report training staff only on an ad hoc basis, which is a step backwards from 59 percent in 2016.

“In an age of digital communication, the importance of physical materials, such as paper, is sometimes overlooked,” said Mr Bell. “For instance, our research shows that across all respondents, only 45 percent have a policy that is strictly adhered to and 39 percent have no policy at all for storing and disposing of confidential paper documents.

Yet, 59 percent think paper use will stay the same or increase over the next year, leaving organisations vulnerable to the loss or theft of paper based private information.”

Australian businesses are facing significant challenges, combined with an increasingly stringent/complex regulatory environment with mandatory reporting of breaches under the Notifiable Data Breaches (NDB) and the new EU General Data Protection Regulations (GDPR) framework.

The likelihood of eroded customer and community trust resulting from a breach of privacy information is a major business risk. The troubling first quarterly report by the Office of the Australian Information Commissioner in April revealed that in just the first six weeks of the new legislation, there had been 63 notifications of breaches.

In an environment of heightened sensitivity to privacy and security of data, business owners and organisational leaders are under pressure to meet not just their legal obligations, but also consumer and community expectations. This research shows that customers will reconsider their choice of service provider if they are not perceived to be managing and protecting their data well.

“The research offers a wake-up call to organisations responsible for information security,” concluded Mr Bell. “Businesses need to act now to put in place the policies, practices, training and above all, a culture, to deliver on information security. Their reputation, trust among customers and ultimately, their business success, may depend on it.”