Some of the Biggest Data Risks Are Low Tech

In a survey, seven in 10 managers say they had found a confidential document left in a printer.

(Photo: Shutterstock)

Data breaches cost American financial organizations $5.9 million per breach on average. Meanwhile, sensitive information is routinely misplaced or left where others can find it.

A report released Monday by Shred-it, an information security service, found that 68% of businesses reported at least one data breach in the past 12 months. Three in four involved loss or theft of paper documents or electronic devices containing sensitive information.

The report revealed a discrepancy in priority between cybersecurity and physical security, and the mistakes employees and managers make that may be contributing to a rise in data breaches.

It said common workplace occurrences may be at the root of the problem as 65% of managers expressed concern that their employees or contractors had printed and left behind a document that could lead to a data breach.

Those fears were not overblown. Seven in 10 managers said they had seen or picked up confidential documents left in a printer, and more than three in four managers admitted that they had inadvertently sent an email containing sensitive information to the wrong person.

And 88% reported having received an email containing sensitive information they were not intended to receive from someone within or outside of their organization.

“The report reveals two key factors about information security in North American businesses — employee negligence, intentional or not, can be a leading contributor to data breaches and that businesses should equally consider the needs for cybersecurity and physical information security within their organization,” Ann Nickolas, senior vice president at Stericycle, the provider of Shred-it information security solutions, said in a statement.

“Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches.”

The Ponemon Institute conducted an online study in August involving 650 managers in IT security and non-IT positions in a variety of North American business sectors who were knowledgeable about their organization’s strategy for the protection of confidential and sensitive information.

Where Breakdowns Occur

Other findings in the report showed that employees may be gaining access to sensitive or confidential information. One reason is that organizations may not be restricting employees from seeing physical paper documents they should not have access to.

Only 33% of respondents said they used physical security to prevent unauthorized access to document storage facilities. Thirty-eight percent said they stored documents in filing cabinets or locked desks. Less than a third enforced a clean desk policy.

Half of managers said their organization did not take any of these steps.

Three in five managers surveyed agreed that employees, temps and contractors had access to paper documents that were not pertinent to their role or responsibility.

Managers are not off the hook for neglecting sensitive and confidential information.

Fifty-one percent of managers surveyed said they lacked a process for disposing of paper documents containing such information after they are no longer needed.

After reviewing a paper document, 21% said they tossed the document in the trash.

More than half of managers reported that they had been targeted by a phishing email or social engineering scam at work, but only four in 10 said they had contacted their supervisor about this.