It doesn’t take the stealth and sophistication of a cyber attacker to cause a data breach. A careless employee leaving a sensitive document in a communal printing tray or a malicious insider intent on stealing information in documents that have not been properly destroyed can result in the loss or theft of critical information assets.
Sponsored by Shred-it, the research reveals the inadequacies in organizations’ policies regarding the protection of confidential documents in the workplace. Ponemon Institute surveyed 650 individuals who work in both IT security and non-IT positions in North American organizations. All respondents are knowledgeable about their organization’s strategy for the protection of confidential and sensitive information.
“The report reveals two key factors about information security in North American businesses– employee negligence, intentional or not, can be a leading contributor to data breaches and that businesses should equally consider the needs for cybersecurity and physical information security within their organization,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions. “Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches”
Many data breaches involve the loss or theft of information contained in paper documents and electronic devices. According to the findings, 68 percent of respondents say their organization experienced a data breach in the past 12 months. Of these respondents, 69 percent say one or more of these data breaches involved the loss or theft of paper documents or electronic devices containing sensitive or confidential information.
Why documents containing sensitive and confidential information are at risk:
There is a security disconnect in the protection of confidential documents. The chief information security officer and chief security officer are most responsible for protecting confidential information, according to 21 percent and 18 percent of respondents. However, they rarely have responsibility for granting access to paper documents or electronic devices containing sensitive or confidential information.
Most companies are not training employees about secure disposal. Only 45 percent of respondents say their organizations have a process for disposing of paper documents containing sensitive or confidential information after they are no longer needed. Less than half (46 percent of respondents) say their organizations are training employees about the steps they should be taking to ensure documents are appropriately disposed of. Furthermore, very few respondents say their organizations automate restrictions to print from specific devices and to print specific files, 29 percent and 27 percent, respectively.
Organizations are not taking basic precautions to prevent the loss or theft of confidential documents. Confidential documents are not secure because few organizations are requiring employees and contractors to lock their desks and file cabinets (38 percent of respondents). Only 33 percent of respondents say they prevent unauthorized access to document storage facilities and 31 percent of respondents say a clean desk policy is enforced.
The lack of policies and training for the secure disposal is having an effect on respondents’ confidence in keeping confidential documents secure. Only one-third of respondents have confidence in their organizations’ ability to govern the use, protection and disposal of paper documents. Fewer respondents (26 percent) have confidence in having visibility into what employees are doing with confidential documents.
Organizations are unable to restrict employees’ access to paper documents they should not see. Most respondents (61 percent) are unsure or disagree that the protection of paper documents is just as important as the protection of electronic records. As a result, 60 percent of respondents strongly agree or agree that employees, temporary employees and contractors have access to paper documents that are not pertinent to their role or responsibility.
Only 37 percent of respondents strongly agree or agree that it is convenient for employees and contractors to destroy paper documents with sensitive and confidential information. The fact that only 41 percent of respondents agree employees and contractors recognize the types of information that are sensitive or confidential demonstrates the lack of training in organizations.
Confidential documents are left in plain sight. Sixty-five percent of respondents are concerned that employees or contractors have printed and left behind a document that could lead to a data breach. Even more respondents (71 percent) admit they have picked up or seen a paper document in a public space that contained sensitive or confidential information.
More than half (51 percent of respondents) say they either keep the document or throw it in the garbage. Only 33 percent of respondents say they shred the document after reviewing it.
Sensitive or confidential information is exposed because of sending and receiving emails not intended for the recipient. Seventy-seven percent of respondents admit to sending emails containing sensitive or confidential information to the wrong person. Eighty-eight percent of respondents say they have received such emails.
In the report, we provide a deeper dive into the key findings. The complete audited findings are presented in the Appendix. We have organized the report according to the following themes:
- Steps taken to protect confidential information in paper documents and electronic devices
- Reasons for the insecurity of confidential documents in the workplace
- The practices of organizations that are confident in their ability to protect sensitive information in paper documents