State of the Industry Information Security

2018 AUSTRALIA

Business is evolving, and data protection practices must evolve with it.

2018 STATE OF THE INDUSTRY REPORT | Australia

Introduction 3Situation Analysis 4Security Tracker Infographic 5Lack of Policies & Training 6Awareness Mismatch 8Changing Work Models 10Ask the Expert 12Recent Changes in Privacy Legislation 14Summary 16

1

After a turbulent year marked by the mishandling of consumer data and growing concerns about privacy, business leaders need to reassess how they protect their organisations from potential security risks and breaches.

2018 STATE OF THE INDUSTRY REPORT | Australia 2

Through an analysis of current industry understanding and preparedness, and by providing recommendations on how to improve information security practices, the Shred-it State of the Industry Report (the Report) inspires business leaders to take action to meet and exceed industry best practice when it comes to protecting the data of their customers, employees and partners.

The Report includes findings from the Australian Shred‑it 2018 Security Tracker (Security Tracker), a survey conducted in Australia in April 2018 of over 1,100 respondents from large and small businesses across the nation. To provide context for business responses, a short survey was also conducted of 1,000 individuals from the general population about data protection and the value they place on the security of data when choosing a service provider.

This is the third year that the Security Tracker and the State of the Industry Report has been produced for Australia, although Shred‑it has been producing both the survey and report for several years in North America and the United Kingdom, providing global context for this unique research. This year’s Report illustrates changes since it was last released in 2016, revealing a concerning negative trend in certain key areas.

Legislative Understanding:The Report highlights a lack of understanding around legislative requirements and a need for businesses to invest the time and resources required to equip their staff to adequately protect confidential information in an evolving workplace.

Consumers:The information in this Report highlights the importance of data security to consumers and the value to businesses in terms of customer retention, reputation and financial outcomes by paying close attention to data management.

Regulation:The Report also reveals scope for government to play a more supportive role for businesses and to strengthen its commitment to information security. Support is especially important in the face of increased legislation and regulation, in addition to data breach scandals that have undermined public trust in the ability of organisations to protect their privacy.

A heightened awareness of information security and a changing regulatory landscape means that businesses must ensure that appropriate security policies and protocols are in place to better protect important information and, in turn, the reputation and financial success of the business. This Report offers some practical advice on simple steps that can be taken to assist organisations to achieve these outcomes.

To learn how you can protect your company, people and customers from fraud, visit the Shred-it Resource Centre at: Shredit.com.au/resource-centre

Introduction

3

In an environment of heightened sensitivity to privacy and security of data, business owners and organisational leaders in Australia need to have a thorough understanding of the importance of information security and put in place policies to deliver on their customers’ expectations. Businesses must ensure that they not only have in place strict information security policies but that they also educate their workforce and ensure that employees have access to the appropriate tools and protocols to implement the policy. They need to fully address areas of risk that could make them vulnerable to a significantly damaging data breach.

A series of high profile privacy and data breaches such as the Cambridge Analytica scandal and a number of telco and banking institutions being subject to hacking have increased scrutiny from consumers and regulators alike. The vast majority of Australians feel that data protection is important when making decisions about choosing service providers across a range of areas including banking (93 percent), mobile or internet providers (89 percent), legal providers (87 percent) and health service providers (84 percent).

Under Australian legislation, people can expect those holding personal information relating to them to protect it from misuse, interference, loss, and from unauthorised access, modification or disclosure. The Security Tracker demonstrates that consumers do indeed have very high expectations of their service providers and trust them to protect their personal data and yet the same survey highlighted gaps in the understanding of business owners and managers in terms of their responsibilities in this area.

This disconnect highlights an area of potential risk for businesses who do not have the capacity to protect their customers’ information in the way that they expect. The impact of a data breach can be substantial, including operational delays, activities to investigate and remediate a data breach, legal advice and action, brand reputational damage, loss of consumer confidence and loss of business opportunities and revenue. These costs should not be dismissed lightly as data breaches

are estimated to be costing Australian organisations an average of AU$2.51 million annually — which works out to be an average of $139 per compromised record.1

It is not only customers at risk; the potential damage to employee confidence from a breach involving the loss or mis-use of employee data could also have a very negative impact on business performance. Human resource managers and departments often hold highly sensitive information about employees and have a legislative requirement to maintain confidentiality, and now a requirement to notify under the Notifiable Data Breaches (NDB) scheme.

Shred-it’s Security Tracker research found that around nine in ten C-Suite Executives (C-Suites) (89 percent) and Small Business Owners (SBOs) (88 percent) are confident that their secure destruction procedures for paper and electronic media will protect them from a data breach. Yet this confidence appears to be somewhat misplaced in light of an analysis of the policies, procedures and practices that are actually in place.

The Report shows a marked difference between C-Suites and SBOs in terms of their attitudes and capacity in terms of information security with the former generally about twice as likely to have in place security policies, procedures, and protocols to address data security. Since SBOs are equally responsible for information security, this indicates scope for enhanced government support and policy to ensure that smaller organisations are equipped to maintain privacy standards and to promote greater industry awareness and adoption of effective privacy practices.

Situation Analysis

2018 STATE OF THE INDUSTRY REPORT | Australia 4

C-SUITES66%

of 33%of

SBOs43%

ofSBOs

30

20

10

Shred-it® is a Stericycle solution. © 2018 Shred-it International. All rights reserved.

Learn more about how you can protect your data.1800 012 012 | shredit.com.au

S E C U R I T Y T R A C K E R 2 0 18 A U S T R A L I A

Businesses that have a strong understanding of the legal requirements for managing and disposing of confi dential information

Businesses with a policy in place for storing and disposing of confi dential data for off-site employees

Small business owners are less likely today than in 2016 to have a policy in place for storing and disposing of confi dential data.

Businesses that have a strictly adhered to policy for storing and disposing of confi dential data

BUSINESSES ARE NOT WELL EQUIPPED TO DELIVER ONCUSTOMERS' PRIVACY

EXPECTATIONS

CONSUMER PRIVACY EXPECTATIONS EXCEED BUSINESSES' CAPACITY TO DELIVER

Australian consumers feel that data protection is important when choosing their:

Bank

93%Healthcare Provider

84%Electricity Provider

78%Accounting Firm

82%Internet Provider

89%

C-SUITES

68%of

SBOs

of48%C-SUITES SBOs

SBOs WITHOUT POLICIES

40

2016 2018

45% OF ALLRESPONDENTS

NEVER TRAIN STAFF ON INFORMATION SECURITY PROCEDURES

+ -÷ ×

SBOs43%

of

80%of 40%

of

5

Despite the high expectations in terms of information security, organisations on the whole do not appear well prepared to deliver on these expectations with inadequate policies, protocols and employee training. The Security Tracker research showed that across all respondents only 45 percent have a policy for storing and disposing of confidential paper documents that is strictly adhered to and 39 percent have no policy at all. The proportion of small businesses having a policy in place has dropped notably (-8 points) since the 2016 survey.

Even when an organisation has in place comprehensive policies, these are only effective if employees are confident in their application. Yet, mirroring a lack of procedures, only 55 percent train their staff on information security procedures or policies and 72 percent of small businesses report training staff only on an ad hoc basis or never which is up from 59 percent in 2016. In another negative trend, only 22 percent of small businesses report training staff on their organisation’s information security procedures at least once a year compared to 33 percent in 2016 (-11 pts).

The vast majority (87 percent) of C-Suites claim that they have employee training for at least one of a range of physical information security topics, such as identifying fraudulent emails or reporting a lost device or credit card. In comparison, nearly half as many SBOs (45 percent) report a similar level of training. Using public Wi-Fi was one of the areas least likely to be the

subject of employee training despite the increase in flexible working arrangements that often see employees using such networks.

In an age of digital communication, the importance of physical materials, such as paper, is sometimes overlooked. Yet those seeking to enact fraud and data theft often target paper-based documents which makes it essential that information security is viewed holistically; any system for protecting information is only as strong as its weakest link. An error that saw numerous Australian Government Cabinet files being discovered in early 2018 by a member of the public in a second-hand shop, instead of being appropriately stored, is evidence that paper-based information is just as important to manage as digital assets.

Physically protecting data should be top-of-mind for businesses dealing with sensitive information, especially as paper use seems to be static or even on the rise. It is estimated that only 3 percent of Australian businesses have completely eliminated paper from their office procedures and 20 percent of businesses are seeing paper consumption rapidly increasing2. The research showed that across the board, 59 percent of businesses think paper use will stay the same or increase over the next year. C-Suites are more likely than SBOs to anticipate a rise in the volume of paper used over the next year (16 percent vs. 7 percent).

Lack of Policies & Training

2018 STATE OF THE INDUSTRY REPORT | Australia 6

Appropriately protecting documents includes having a good alarm system and security cameras, keeping file cabinets locked, providing data security training to employees, promoting a Clean Desk policy, having a policy for mobile devices and properly disposing of sensitive documents and old hard drives.

Securely destroying documents is a requirement in many circumstances including under Australian Privacy Principles3, yet the Security Tracker shows that a very small proportion (11 percent) of businesses use a professional shredding service whilst 14 percent either recycle or throw confidential papers in the general rubbish. Of concern is a negative development in which the proportion of small businesses that shred documents, be it with a professional shredding service or in-house, has declined from 76 percent in 2016 to 62 percent in 2018.

A comprehensive policy and good training are key to sound information security, but these can only be effective if backed up by a culture of security awareness and open reporting of risks or potential breaches. This is especially the case in an environment of mandatory reporting of breaches under the Notifiable Data Breaches (NDB) and EU General Data Protection Regulations (GDPR) legislation. It is also good business practice since the faster a data breach can be identified and contained, the lower the associated costs4. The research shows that whilst 74 percent of C-Suites have a policy or process in place requiring

employees to report information security issues, only 38 percent of SBOs have a similar policy and 43 percent say they have no intention of starting one any time soon.

It appears that whilst consumers, and the community in general, have increasing expectations of those organisations that hold personal information, many businesses (especially small businesses) are actually placing less importance on the actions that would allow them to meet those expectations. Yet, efforts to drive a change in culture and be proactive in establishing information security credibility could pay off for businesses in more ways than one. Not only can this approach minimise the chances of a security breach, it can also position businesses to increase market share in the event that competitors lose the trust of their customers through a data breach.

By undertaking an organisation-wide information security audit, businesses can identify gaps in their systems, policies, skills and knowledge and move to address these through a comprehensive security policy. An ongoing risk management approach which regularly reviews the policy and audits security will position the organisation to stay on top of potential risks. Communicating with customers about their approach to information security will instill confidence in them.

7

Expectations of consumers in terms of what their service providers do with their information are high. Recent high‑profile breaches and instances of improper data handling – like the Facebook and Cambridge Analytica incident which became public on 17 March 2018 - have led consumers to demand better protection for their privacy. Consumers are becoming better informed and questioning exactly how their data is being used and stored, and what happens when they want to have their information deleted.

Across all Security Tracker metrics, the vast majority of respondents feel that data protection is important when making decisions, with people feeling that it is most important when deciding who to bank with (93 percent), which mobile or internet provider to use (89 percent), which legal provider to use (87 percent), which health service provider to visit (84 percent), which accounting firm to use (82 percent), or which electricity provider to use (78 percent).

A strong majority are also confident that their service providers would comply under the new Notifiable Data Breaches (NDB) scheme if there was a serious breach by promptly notifying them of the likely risk of serious harm. Consistent with other metrics, confidence is highest for banks (80 percent), followed by healthcare providers (77 percent), and mobile providers (72 percent).

On the other hand, less than half (47 percent) of Australians feel that the penalties for failing to comply with the NDB scheme are strong enough, indicating that there may be public support for heftier penalties if businesses are found to fail in this responsibility.

However, there appears to be a mismatch between consumer and community awareness surrounding information security and the service providers who manage that information. Across all respondents to the survey, only 50 percent of businesses indicated that they have a strong understanding of the legal requirements and ramifications surrounding confidential information storage and disposal, and this drops further for SBOs (48 percent). Businesses have a responsibility for the

lifecycle of information collected, from the point of deciding what data to collect to destruction or de-identification of the personal information when it is no longer required. Yet when it comes to having a policy for storing and disposing of confidential paper documents, only 45 percent of businesses have a policy that is strictly adhered to and many (39 percent) have no policy at all.

Overall, a majority (52 percent) work for organisations that have a plan in place to delete personal data stored offline. However, only 32 percent have processes in place to notify the individuals impacted as well as the Office of the Australian Information Commissioner (OAIC), in the event of a data breach.

When it comes to the new EU General Data Protection Regulation (GDPR), the research shows that across all respondents only 12 percent claim to be at least ‘somewhat familiar’ with the regulatory framework and this is even lower for small businesses at nine percent. Alongside this lack of awareness is a very low emphasis on the legislation with just 15 percent of small businesses seeing it as at least somewhat of a priority whereas 51 percent of C‑Suites deem GDPR compliance to be important. Low prioritisation of GDPR may be fueled by a sense that it is not relevant to Australian businesses; over one quarter (28 percent) of SBOs did not think the new legislation would apply to their organisation. This is despite the very significant penalties for non‑compliance of €20 million (over AU$30 million) or four percent of annual worldwide turnover.

Reducing the gap between the expectations on the part of consumers and the understanding and commitment of organisations to information security should be a short-term priority for government, as well as private sector and not‑for profit organisations.

Awareness Mismatch

2018 STATE OF THE INDUSTRY REPORT | Australia 8

Consumers are becoming better informed and questioning exactly how their data is being used and stored.

9

2018 STATE OF THE INDUSTRY REPORT | Australia 10

Flexible working arrangements can bring a myriad of benefits to businesses and employees; the ability to work with customers on-site, achieve work-life balance, reduce commuting time, enhance employee satisfaction and cut down on office space costs. Technology has facilitated this trend with tools such as video conferencing, CRM software, project management tools, group chat tools, and smartphones all allowing employees to be connected wherever they happen to be located. Almost a third (3.5 million) of all employed persons regularly worked from home in their main job or business in 2016 and this trend is likely to have continued.5

Alongside higher rates of remote working is a trend to Bring Your Own Device (BYOD) policies whereby employees use their own device for work which can increase productivity and employee satisfaction at work. According to the Deloitte Mobile Consumer Survey 2017, smartphones are emerging as an essential work tool, with 67 percent of respondents using their smartphones for work. According to that research, seven percent of workers used their smartphones to submit a timesheet, five percent did so to submit expenses, and nine percent did so to access a work intranet site6. However, there are traps to be avoided with the adoption of these policies, as BYOD also increases the risk of data theft, leakage and malware intrusion caused by a device being connected to an organisation’s network.

The Security Tracker research showed that the majority (53 percent) of businesses have employees using flexible or off‑site working arrangements with small business much more likely to indicate having a very high percentage of their employees working off-site, compared to C-Suites (19 percent vs. 1 percent). Most respondents (67 percent) believe that the option to work remotely is becoming increasingly important, with those in the business services and public service sectors more likely to think that the option to work remotely will become increasingly important in the next five years.

However, 63 percent also feel that the risk of a data breach is higher when employees work off-site, and it appears that many organisations have not adequately addressed information security as part of their remote working policies. Whilst 80 percent of C-Suites have policies in place for storing and disposing of confidential information when working off-site, only 40 percent of small businesses can say the same.

Across all respondents a majority (56 percent) claim that their organisation has security protocols in place for employees using electronic devices that contain confidential information while working off‑site. C‑Suite respondents are about twice as likely as SBOs to have protocols in place for employees using electronic devices that contain confidential information while working off‑site (95 percent vs. 52 percent).

The vast majority of respondents trust that their employees are doing everything they can to safeguard sensitive physical and digital information while off-site (93 percent). However, around 10 percent reported lost or stolen equipment, with C-Suites more likely to have had employees who lost, or had any items stolen, while working off-site. Mobile phones and laptops were the items most likely to have been lost or stolen but 7 percent had also lost paper documents containing sensitive company information.

Importantly, of those who reported employees losing or having sensitive information stolen, around half (48 percent) reported that sensitive company data was put at risk as a result. This rose to 60 percent of C-Suite respondents.

Changing Work Models

11

Over 60%of businesses feel that the risk of a data breach is higher when employees work off‑site.

Ask the ExpertProfessor Matt WarrenDeputy Director of the Deakin University Centre for Cyber Security Research and Professor Cyber Security, Deakin University.

Prof Warren discusses information security for Australian organisations in the current climate. He also addresses the need for a mature and consistent approach to information security and shares insights into the challenging conditions faced by businesses when securing data.

What is your perspective on Australian consumers’ current expectations versus reality in terms of information security today?

MW: Recent high‑profile cases in Australia and internationally, such as Facebook and Cambridge Analytica, have focused consumers on information security and they now have some very high expectations. However, they don’t necessarily understand that businesses and organisations are working in a highly complex and challenging environment for managing data. Businesses face changing technologies, cloud computing, pressure to manage costs and a greater reliance on third party suppliers all of which can make ensuring information security difficult. The risk of this disconnect for businesses is that if the high expectations of consumers are disappointed, they may choose to change their supplier thereby reducing that business’s market share.

How can a comprehensive information security policy deliver reputational benefits to organisations in the private and public sector?

MW: A comprehensive information security policy is the foundation for changed behaviour and a culture that values privacy. Many organisations invest the time and resources to develop information security policies and protocols

but unless this becomes part of a cycle of continuous improvement and is backed by training and a culture of security, it falls down. Consumer expectations can serve as an important driver for organisations to increase their security maturity and effect changes in behaviour, embedding excellent information security practice. Those businesses that are proactive in addressing information security, and communicating this to their customers, could potentially increase market share at the expense of those who lose customers due to the reputational damage caused by data breaches.

The trend toward flexible and off-site working arrangements seems here to stay, what are some steps that employers can take to maintain security of information?

MW: The flexibility offered by mobile working arrangements are manifold, but it also brings with it additional risks to information security. Employers are increasingly implementing Bring Your Own Device (BYOD) policies to enable staff to use their own computer for work, but often lack appropriate protocols for security such as password protection, malware updates and login security. Already ‘dumpster divers’ search waste paper for documents to facilitate fraud and it is very easy for them to target employees to scour their household waste for materials that may have printed at home and unthinkingly thrown out.

The response always comes back to a comprehensive policy which puts in place protocols to train staff in information security when working remotely. Organisations need to think holistically; many spend significant resources on cyber security however pay less attention to paper based materials which pose just as big a risk.

2018 STATE OF THE INDUSTRY REPORT | Australia 12

How do you foresee the new NDB and GDPR legislation impacting the private sector and how can organisations in Australia prepare to meet their requirements?

MW: New legislation in the form of the Notifiable Data Breaches (NDB) scheme will be a massive driver for change in Australia due to the legal requirements that it imposes and the increased transparency that the publication of summary breach information will bring. The impetus for the legislative approach is to assist organisations to improve their information management. Reputational damage to brand is one of the major risks of concern to organisations and they want to protect their relationship with their customers and build trust. This means that they will need to promptly notify customers and regulators of relevant breaches rather than appearing to hide such issues.

The European Union (EU) GDPR (General Data Protection Regulation) has already been seen to change the behaviour of some businesses overseas and it is likely to have an impact in Australia. Whilst larger organisations tend to be more aware of the legislation, small businesses which target EU markets will be affected by GDPR, but it is likely to take some time for people to become fully aware of the ramifications.

Again, both pieces of legislation can be a driver of changed behaviour and a better approach to information security in Australia.

What are the common attributes of organisations that are highly successful in dealing with information security?

MW: Those organisations, large or small, who excel in information security tend to have a number of common approaches:

• Having a comprehensive information security policy is the first step but they also have a strong culture of information security where it is core to the organisation, not an add on.

• Inevitably, successful organisations have people allocated with responsibility for information security showing its importance and ensuring consistency of approach and oversight.

• Regularly communicating their policy internally and externally so that not only do employees understand what is expected, but external stakeholders also know where the organisation stands on security and the value it places on privacy.

• Regular risk evaluation to assess whether the policy is still adequate and pressure testing the capacity of the organisation to see how it actually deals with certain situations rather than waiting until there is an incident.

13

Businesses are operating in an increasingly complex privacy risk environment with increased consumer expectations and scrutiny, a growing web of legislation with international reach, lack of staff awareness and new business requirements in terms of data acquisition and use. The Australian Government has sought to assist businesses to rise to these challenges through an approach that seeks to lift standards across the board. In Australia, the Office of the Information Commissioner (OAIC) is taking the lead role in overseeing and implementing these initiatives.

Notifiable Data Breaches (NDB) scheme The Australian Government’s major response has been the implementation of the NDB scheme which came into effect in February 2018 and is overseen by the OAIC. It requires certain organisations, including any that trade in personal information or provide health services, to adhere to a higher standard of notification obligations when a data breach is likely to result in serious harm to any individuals whose information is involved in the breach. However, according to the Security Tracker, only 28 percent of SBOs have processes in place to notify the individuals impacted as well as the OAIC, in the event of a data breach.

The NDB seeks to provide organisations with a framework to reduce or eliminate the risk of harm to individuals in the

event of a data breach, and which aligns with legislative requirements and community expectations. This framework can assist businesses to minimise the damage caused by such a breach due to a quick and effective response actually enhancing trust and reducing the costs of the breach. However, the approach is firmly based on the understanding that prevention is far preferable, so being prepared to avoid a data breach is important for all organisations that handle personal information.

My Health Record The Australian Government is in the process of making the Personally Controlled Electronic Health Record (PCEHR) or eHealth record opt out, rather than the previous opt in format, with a three month ‘opt out’ period running from 16 July to 15 October 2018. Widespread use of the eHealth record is likely to see increased focus on the tool and even more scrutiny on protecting patient privacy. Organisations holding or managing health information will face strong penalties for misuse of information in the health record with fines of up to half a million dollars and even jail sentences. The Security Tracker found that considerations around information security play an important role for 84 percent of consumers when making decisions about which health service provider to visit.

Recent Changes in Privacy Legislation

2018 STATE OF THE INDUSTRY REPORT | Australia 14

EU General Data Protection Regulation (GDPR)Along with those across the globe, from 25 May 2018, Australian organisations are required to adhere to the EU's GDPR. The GDPR contains new data protection requirements that are designed to provide clear, uniform data protection laws intended to build legal certainty for businesses and enhance consumer trust in online services. The impact of these regulations will be felt by online businesses as well as bricks and mortar establishments. Whilst some Australian businesses have been preparing to comply with this new international standard, many are not fully aware of its ramifications.

The Security Tracker revealed a very low awareness among SBOs with only nine percent being somewhat aware of GDPR, and even among C-Suites only 33 per cent had this level of knowledge. A low proportion of businesses see the GDPR as being relevant to them, so it is probable that the level of awareness will grow as organisations see peers taking the legislation seriously or breaches being prosecuted.

Australian Privacy legislation includes some similar requirements to the GDPR; both laws require businesses to implement measures which ensure compliance with a set of privacy principles, and both take a privacy by design approach to compliance. Technology neutrality also features in both sets of legislation, ensuring their relevance and applicability in a context of continually changing and emerging technologies. However,

there are differences. So businesses need to evaluate their information handling practices and governance structures to ensure that they comply with GDPR. It appears that not enough businesses place sufficient importance on GDPR compliance, with a bare majority of 51 percent of C‑Suites and only 15 percent of small business considering it to be somewhat of a priority.

Australian Government Agencies Privacy CodeThe Australian Government Agencies Privacy Code (the Code), effective 1 July 2018, sets out specific requirements and key practical steps that agencies must take as part of complying with Australian Privacy Principle 1.2 (APP 1.2). It requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies. Whilst this is only applicable to the public sector, it reinforces the focus on the need for all organisations to implement best practice in dealing with privacy and data protection.

Together, these new requirements comprise some of the largest changes to privacy regulation in over a decade and will drive fundamental changes to how Australian organisations handle personal information. Whilst the Government appears to be taking an approach that fosters excellence in information security management, rather than a punitive response, pressure is only likely to build for organisations to bring their ‘best game’ to this arena.

15

Summary

Shred-it is proud to provide businesses of all sizes with advice and data security intelligence based on our research. The results of the Australian Shred‑it 2018 Security Tracker demonstrate the need for organisations to work to increase their understanding of legislative requirements in terms of information security whilst also enhancing their capacity by improving information security practices. The State of the Industry Report identifies a disconnect between the expectations of consumers around how service providers manage their personal information, and the level of preparedness of these organisations to meet those requirements.

Organisations are faced with a changing and ever challenging environment, including additional legislative requirements and new technologies, impacting their data management capacity. Organisations need to position themselves for success in managing information security by taking a risk management perspective whilst ensuring that systems are in place and employees are equipped to deliver the highest standard of privacy.

Data security is important to consumers. Correspondingly there exists value for businesses in terms of customer retention, reputation and financial outcomes by paying close attention to data management. It is now up to businesses demonstrate that they have the policies, practices and above all a culture to deliver information security, underpinning their reputation and trust among customers and the wider community.

For more tips on improving your information security, please visit the Shred-it Resource Centre at Shredit.com.au/resource-centre

facebook.com/shredit

linkedin.com/company/Shred‑it

@Shredit

2018 STATE OF THE INDUSTRY REPORT | Australia 16

Data protection must become a core part of all business practices.

17

How Shred‑it® Can HelpThe Shred‑it Protected WorkplaceOur integrated suite of products and services —including Paper Shredding, Hard Drive Destruction and Workplace Security Policies, all delivered through a secure Chain of Custody—are designed to protect the things that matter most, every single day.

Shred‑it Secure Document and Hard Drive Destruction» Secure end-to-end chain of custody processes» Certificate of Destruction after every service» Tailored solutions to your organisation’s needs

Advice and Expertise» Trained experts in information security» Provide a Data Security Survey at your organisation

to identify information security risks

Shred‑it® is a Stericycle solution. © 2018 Shred‑it International. All rights reserved

Learn more about information security at shredit.com.au or 1800 012 012

Sources1Ponemon Institute, 20172Nitro, 20183OAIC, 20174Ponemon, 20175ABS, 20166Deloitte, 2017

2018 Security Tracker Survey Methodology

Ipsos conducted a quantitative online survey of two distinct sam‑ple groups: Small Business Owners (SBO) in Australia (n=1,003) with fewer than 100 employees, and C‑Suite Executives in Australia (n=100), with a minimum of 100 employees.

Data for Small Business Owners is weighted by region. Data for C‑Suite Executives is unweighted as the population is unknown. The precision of Ipsos online surveys are calculated via a credibili‑ty interval. In this case, the Australia SBO sample is considered ac‑curate to within +/‑ 3.5 percentage points had all Australian small business owners been surveyed, and the Australia C‑Suite sample is accurate to within +/‑ 11.2 percentage points had all Australian C-Suite Executives been surveyed. The fieldwork was conducted between April 9th and April 21st, 2018.

In addition to the quantitative online survey, Ipsos conducted a short omnibus survey among a gen pop sample of n=1,000 Australians about data protection and security.