June 20, 2018

British Businesses Sacking Employees for Data Breach Negligence, In Spite of Inadequate Training Practices: Shred-it Study

London - 20 June 2018 – Nearly a third of UK companies (31 percent) that have suffered a data breach have terminated an employee’s contract for related negligence, according to data from Shred-it’s seventh annual State of the Industry Report, released today.

The annual study exposes information and data security risks currently threatening UK enterprises and small businesses and includes survey findings from the Shred-it Security Tracker. Ipsos conducted a quantitative online survey of three distinct sample groups in the UK – 1,000 Small Business Owners (>100 employees), over 100 C-Suite Executives of large organisations (<250 employees) and over 1,100 consumers/employees.  

The study also reveals that UK businesses understand that employee negligence plays a major or moderate role in data security breaches. The vast majority of C-Suites at large organisations (88 percent) believe that employee negligence is one of the biggest information security risks to their organisation, and half (49 percent) of small business owners (SBOs) feel the same.

However, that understanding has not led to action in the shape of robust training programmes in many businesses. Just over half (55 percent) of large businesses have trained their employees on the use of public Wi-Fi and only 70 percent have provided training on identifying fraudulent emails (the latter was the highest rate among any critical security training). Overall, just 46 percent of small businesses offer any of the key employee trainings necessary at all, with just a quarter (27 percent) having provided training on the use of public Wi-Fi and a third having offered training on identifying fraudulent emails.
 
In addition, only two-thirds (66 percent) of large British businesses and 26 percent of small business owners have offered their employees specific GDPR related training. The report suggests that more training is sorely needed. One in four (27 percent) employees studied as part of the Security Tracker research confessed to leaving work documents or notebooks on their desk, while one in six (16 percent) leave their computer on and unlocked when they leave work for the day.
 
Neil Percy, Vice President Market Development and Integration EMEA, Shred-it, said: “It might feel like rough justice for employees to be held to account when training is not comprehensive, but it reflects how difficult this process is, even for businesses with extensive resources. There may also be an assumption that some elements are common sense, but that potentially belies how easy it is to be duped by skilled phishers and hackers, or even to lose confidential info during the course of a busy day. Mindfulness is key and training helps.”
 
“The lack of ubiquitous training on GDPR, for example, suggests that a large proportion of the British workforce is not appropriately trained for the kinds of safeguards necessary under GDPR.”
 
GDPR Compliance Likely Patchy

Beyond a lack of training for employees, Shred-it’s findings, conducted on the eve of the enforcement deadline for GDPR, suggest that most businesses have not undertaken key steps to establish compliance. In terms of some key preparation measures:

  • Just 46 percent of large businesses have reviewed policy notices, 17 percent of small businesses.
  • Less than half (44 percent) of large businesses have documented the lawful basis for data processing, 19 percent of small businesses.
  • Only 42 percent of large businesses have assigned a data compliance officer, 17 percent of small businesses.
  • A little over one-third (39 percent) of large businesses have updated procedures for detecting, reporting and investigating a data breach, 15 percent of small businesses.

“Data previously released by Shred-it showed GDPR awareness was still at alarmingly low levels as the regime was coming into full force,” noted Mr Percy. “When it comes to specific preparations, too many businesses are way behind the curve. British companies need to close the gap on what information they are permitted to hold and what they must delete, and also extend the focus beyond the purely digital to consider physical formats, equally important under GDPR.”

Is Working Remotely Working?

As working from home and open-concept offices become increasingly popular, businesses are put at greater risk of data breaches caused by human error. The vast majority of large businesses in the UK (96 percent) and more than half of small businesses (52 percent) reported employees using offsite or flexible working models. Most C-Suites in the UK (90 percent) believe that the option to work remotely will become increasingly important to their employees over the next five years, as do two-thirds of small business bosses.

As the prevalence of remote working increases, so do the risks. Half of C-Suite leaders report that employees have lost company mobile phones and company laptops (45 percent) while working off-site. The majority of C-Suites in the UK (75 percent) do have policies for storing and disposing of sensitive data for employees working off-site, but a quarter confess that not all employees are aware of these policies (22 percent) and another quarter (23 percent) admit they do not have a policy at present. Small businesses fare worse, with over half (57 percent) of bosses stating they do not have a policy in place at all.
 
About the 2018 Security Tracker Study:

Ipsos is one of the largest and best known research companies in the world. With a direct presence in 60 countries its clients benefit from specialist knowledge drawn from five global practices: public affairs research, advertising testing and tracking, media evaluation, marketing research and consultancy, customer satisfaction and loyalty.

Ipsos conducted a quantitative online survey of two distinct sample groups:

  • Small Business Owners (SMO) in the United Kingdom (n=1,000), all of which have fewer than 100 employees.
  • C-Suite Executives in the United Kingdom (n=100), with the minimum threshold in the U.K. being 250 employees.

 
The precision of Ipsos online surveys are calculated via a credibility interval.  In this case, the UK SBO sample is considered accurate to within +/- 3.5 percentage points had all UK small business owners been surveyed, and the UK C-Suite sample is accurate to within +/- 11.2 percentage points had all UK C-Suite Executives been surveyed.

The fieldwork was conducted between April 9th and April 23rd, 2018.

In order to provide a solid base for analysis by industry sector, respondents’ industry sectors were grouped as follows:

  • Retail: Wholesale & Retail + New Car Sales
  • Business Services: Professional/Scientific/Technical Services + Computer/Software IT + Communications
  • Finance/Legal/Insurance: Insurance Agents/Brokers/Carries/HQ + Legal + Finance & Accounting
  • Public Services: Health & Social Care + Education + Public Sector/Defense/Justice/Government
  • Real Estate: Real Estate Agents & Brokers + Facilities Management + Hospitality
  • Other: All other sectors

 

About Shred-it

Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our customers’ private information. Shred-it, a Stericycle solution, operates in 170 markets throughout 19 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.co.uk.