In spite of intense GDPR efforts, many retail businesses in the UK still lack critical data security policies, procedures and training, according to data from Shred-it’s eighth annual State of the Industry Report, recently released.
Eight percent of leading retail executives report that their companies have fallen victim to a data breach, yet many do not have key policies in place:
- A quarter (25 percent) of retailers have no information security policies or procedures in place at all
- Over a third (35 percent) have no policy in place at all for storing and disposing of confidential paper documents (the highest of any other sector – financial 20 percent, public sector 21 percent, real estate 29 percent and business services 35 percent)
- Forty-one percent have no policy in place at all for storing and disposing of confidential information on electronic devices
Data security training also has some significant gaps for retailers with 40 percent not covering any of the foundational information security training areas with employees. In addition, few retailers are offering employees support in specific key areas:
- Just 32 percent have trained employees on the use of public WiFi
- Just 31 percent have trained employees on identifying fraudulent emails (particularly problematic due to the malware and ransomware damage caused by phishing attacks)
- Just 40 percent have trained employees on reporting a lost or stolen device (a key issue under the new GDPR compliance rules)
Yet the training is sorely needed. The following proportions of retail businesses have seen these issues arise for employees working off-site:
- 14 percent – lost/stolen company mobile phone
- 8 percent – lost/stolen company laptop
- 9 percent – lost/stolen storage device
The annual study exposes information and data security risks currently threatening UK enterprises and small businesses and includes survey findings from the Shred-it Security Tracker.Ipsos conducted a quantitative online survey of three distinct sample groups in the UK – 1,000 Small Business Owners (>100 employees), over 100 C-Suite Executives of large organisations (<250 employees) and over 1,100 consumers/employees.
Neil Percy, Vice President Market Development and Integration EMEA, Shred-it, said: “It might feel like rough justice for employees to be held to account when training is not comprehensive, but it reflects how difficult this process is, even for businesses with extensive resources. There may also be an assumption that some elements are common sense, but that potentially belies how easy it is to be duped by skilled phishers and hackers, or even to lose confidential info during the course of a busy day. Mindfulness is key and training helps.”
“The lack of ubiquitous training on GDPR, for example, suggests that a large proportion of the British workforce is not appropriately trained for the kinds of safeguards necessary under GDPR.”
Overall findings – workers terminated in spite of lack of training
A third of UK companies (31 percent) that have suffered a data breach have terminated an employee’s contract as a result.
However, that understanding has not led to action in the shape of robust training programmes in many businesses. Just over half (55 percent) of large businesses have trained their employees on the use of public Wi-Fi and only 70 percent have provided training on identifying fraudulent emails (the latter was the highest rate among any critical security training). Overall, just 46 percent of small businesses offer any of the key employee trainings necessary at all, with just a quarter (27 percent) having provided training on the use of public Wi-Fi and a third having offered training on identifying fraudulent emails.
In addition, only two-thirds (66 percent) of large British businesses and 26 percent of small business owners have offered their employees specific GDPR related training. The report suggests that more training is sorely needed. One in four (27 percent) employees studied as part of the Security Tracker research confessed to leaving work documents or notebooks on their desk, while one in six (16 percent) leave their computer on and unlocked when they leave work for the day.
GDPR compliance likely patchy
Beyond a lack of training for employees, Shred-it’s findings, conducted on the eve of the enforcement deadline for GDPR, suggest that most businesses have not undertaken key steps to establish compliance, especially the smaller firms. In terms of some key preparation measures:
- Just 46 percent of large businesses have reviewed policy notices, 17 percent of small businesses have.
- Less than half (44 percent) of large businesses have documented the lawful basis for data processing, 19 percent of small businesses.
- Only 42 percent of large businesses have assigned a data compliance officer, 17 percent of small businesses.
- A little over one-third (39 percent) of large businesses have updated procedures for detecting, reporting and investigating a data breach, 15 percent of small businesses.
“Data previously released by Shred-it showed GDPR awareness was still at alarmingly low levels as the regime was coming into full force,” noted Mr. Percy. “When it comes to specific preparations, too many businesses are way behind the curve. British companies need to close the gap on what information they are permitted to hold and what they must delete, and also extend the focus beyond the purely digital to consider physical formats, equally important under GDPR.”
Is working remotely working?
As working from home and open-concept offices become increasingly popular, businesses are put at greater risk of data breaches caused by human error. The vast majority of large businesses in the UK (96 percent) and more than half of small businesses (52 percent) reported employees using offsite or flexible working models. Most C-Suites in the UK (90 percent) believe that the option to work remotely will become increasingly important to their employees over the next five years, as do two-thirds of small business bosses.
As the prevalence of remote working increases, so do the risks. Half of C-Suite leaders report that employees have lost company mobile phones and company laptops (45 percent) while working off-site. The majority of C-Suites in the UK (75 percent) do have policies for storing and disposing of sensitive data for employees working off-site, but a quarter confess that not all employees are aware of these policies (22 percent) and another quarter (23 percent) admit they do not have a policy at present. Small businesses fare worse, with over half (57 percent) of bosses stating they do not have a policy in place at all.