Despite rise in data breaches, fewer than 50% of businesses have an incident response plan: report

Half of all small and medium businesses in Canada have experienced a data breach

Despite rise in data breaches, fewer than 50% of businesses have an incident response plan: report

As businesses continue to generate more and more data each day, the threat of breaches has never been higher, so legal departments are playing a vital role in protecting their organizations. However, more than half of business leaders do not have an incident response plan, according to a new report by Shred-it – a security service provided by Stericycle Inc.

The 11th annual Data Protection Report found that 50 per cent of professional services organizations in North America have experienced a data breach. Half of all small and medium businesses in Canada reported having ever experienced a data breach in the 2021 report, as compared to only 12 per cent in last year’s report. The number of large businesses to report a data breach rose from 43 to 49 per cent in the past year.

“The growth of data is exponential, and because of that it’s becoming more accessible, and with that data comes value if you can interpret it,” says Michael Borromeo, vice president of data protection for Stericycle.

While malicious outsiders are responsible for the majority of data breaches, employee errors also account for 22 per cent, the report found. Remote work is a factor in security threats as 63 per cent of employees surveyed who work remotely regularly print work documents, and one quarter of them dispose of these documents in the recycling or garbage.

Alarmingly, more than half of all business leaders do not have an incident response plan in place, despite knowing the risks, according to the findings of Shred-it’s report. Only 38 per cent of professional services firms that were surveyed have a response plan in place.

“A response plan is really an important piece to an overall security program because that is your instructions for how your organization is to respond,” says Borromeo. “If you don’t have a plan, your ability to remediate swiftly and efficiently and comprehensively is seriously undermined.”

Data breaches can have a significant impact on the reputation of an organization. In fact, more than 80 per cent of consumers decide who to do business with based on a company’s reputation for data security, the report found. Consumers continue to take their personal information security very seriously with 90 per cent in Canada indicating the level of importance as “extremely high”.

Approximately four out of 10 business leaders rate the risk of an attempted data breach in the next 12 months as a ‘four’ or ‘five’ on a five-point risk scale, with ‘five’ being the highest risk.

Legal departments must maintain a pure and open line of communication with other key stakeholders that play a role in protecting the organization, Borromeo says.

“When we are talking about the protection of data within a company, it is everybody’s responsibility,” says Borromeo. “The legal department must first ensure there are open lines of communication between those departments so that the organization can respond nimbly and comprehensively when issues occur.” Legal is also responsible for making sure all departments understand all the key data protection and privacy laws that are relevant to the organization and its particular jurisdiction, he says.

Borromeo anticipates a continued rise in incidents of data breaches in the years ahead as more and more features of our lives become connected to the internet, thus creating more and more data, and therefore more risk.

Shred-it surveyed C-level executives, small and medium business owners, and consumers across Canada and the U.S.