Senior vice-president, Shred-it.
Data protection is no longer the domain of the IT department – the responsibility belongs to everyone. That requires a big change in how we organize, execute and implement security protocols. But most of all, it requires a change in culture to empower everyone to own a shared mission: protecting our business. Leaders of organizations need to move ownership over data security from the responsibility of one to the responsibility of many.
While the explosion of digital has opened enormous opportunity for real-time connections, information sharing and business growth, it has also democratized access to content, expanded the use of electronic devices and created new vulnerabilities across organizations. However, recent research found that many Canadian businesses are not keeping up with the complex privacy and security risks associated with a digital workplace.
Shred-it's 2017 Security Tracker, an annual survey of information security trends in Canada conducted by Ipsos, revealed that businesses of all sizes fall short when it comes to the disposal, destruction and storage of electronic devices. In short, Canadian businesses are vulnerable.
The survey found that, while the majority of Canadian C-Suites have some kind of policy in place for the use of electronic devices in their workplace, almost half (44 per cent) don't have a policy in place that is adhered to by all employees for disposing of confidential data found on electronic devices. And half of small businesses say they don't have a policy in place at all for governing the use of electronic devices, let alone disposing of the confidential data they contain (46 per cent have no policy for destroying confidential information on electronic devices). From smartphones to tablets, the door is wide open for data breaches that put customers, employees and your business at risk.
At Shred-it, I have worked with hundreds of businesses – from small three-to-four person shops to large complex businesses with thousands of people (and devices) spread across Canada and around the world. While the scope of their needs may differ, they all share an underlying need: protecting workplace privacy. Regardless of your business's size, there are a few simple steps you can take to protect your information in the digital era.
Know your business
Many readers will say, "Of course I know my company." But do you really? Do you know who has access to what data on which device? Do you know if those devices belong to you or your employee? Do you know what happens to those devices and the information on them when they are no longer used? You can't control where data flows, so you need to be armed with information and a clear map of every digital touchpoint. Destroying old hard drives and other electronic devices on a regular basis is also critical.
The fact is that most (93 per cent) of C-suite leaders have at least some employees working off site, and one in five have no policies in place to govern the disposal of confidential information outside the office. That's an invitation for confidential data to "escape."
Train, train … train again
Every organization with a data breach implements a training program to avoid future issues. But that's too late. The first round of damage is done, and your proprietary information is already in the wrong hands.
Training must be preventive, not remedial. Whether you're three people or 3,000, take the time to ensure your people are aware of the risks and their responsibility. Data security has to become a reflex, not just a process. Training also reduces the risk of accidental breaches where human error is the culprit and not malfeasance. It takes 194 days, on average, to contain a data breach caused in error. Training can reduce not only this time, but the cost spent during recovery significantly.
Be a role model
As a leader, you need to set the tone and lead by example. The "tone from the top" is critical in empowering your people to see security as part of their job. Leaders have to be in the front row of training sessions, show care in how they share information, and be public about the way they destroy old devices and data as they change tools or upgrade phones.
Risk can be mitigated
Whatever your workplace environment or size, making information security a core part of your business is one of the best things you can do to protect your business, employees and customers over the long term. In an age when technology is changing rapidly, the most successful and secure businesses have leaders who continuously adjust policies and nurture a culture that values information security.
Executives, educators and human resources experts contribute to the ongoing Leadership Lab series