Michael Borromeo has over 16 years of broad and diversified experience in the field of information security and is highly skilled in the areas of data privacy, information governance, policy and regulatory compliance, security architecture, and technical risk assessment. He has led both data privacy program development and assessment engagements across multiple industries, including financial services, consumer markets, telecommunications, and healthcare. Michael is a Certified Information Privacy Professional (CIPP/US), Certified Information Systems Security Professional (CISSP), and Certified Information Systems Auditor (CISA).
Michael Borromeo is Vice President of Data Protection at Stericycle, provider of Shred-it information security solutions. Like many of us, he is staying safe while working remotely.
Shred-it is an information security service provided by Stericycle, Inc. Shred-it’s leading information destruction solutions maintain the security and integrity of private and confidential information, protecting global, national, and local businesses across 14 countries worldwide. For more information, please visit www.shredit.com.
1. COVID-19 has had a huge impact on the workforce. More and more companies are now embracing remote work for safety and health measures implemented by the government. Being an expert in the information security field, what would you say is the biggest impact that remote working can have on the security and data protection of a company?
COVID-19 has changed how and where we work for the foreseeable future, and this abrupt transition to remote work left many businesses underprepared for the unexpected shift. Shred-it’s research has found the risk of security breaches increases significantly when employees work remotely.
There are a variety of reasons why remote work can put companies at risk. For one, human error and physical document handling need to be taken into consideration. Many employees rely on printed copies of documents featuring sensitive information to conduct their work, often printing them at home but not disposing of them properly.
Shred-it’s 2020 Data Protection Report found that prior to the pandemic, 42% of small businesses did not have any policy in place for storing and disposing of confidential information when employees work away from the office. This increases the risk for data to be seen, stolen, or compromised if left unattended and not properly disposed of.
As well, many companies lack regular training on information security procedures or policies, which could lead to more frequent and successful cyberattacks against employees working outside the office environment. The same report found that more than half (64%) of small-to-medium-sized businesses surveyed had no regular training on this issue. Further, companies that don’t provide their employees with the proper technology resources, such as virtual private networks (VPNs) or tools/solutions for securely transmitting sensitive data, are of course more susceptible to breaches.
2. Shred-it’s 2020 Data Protection Report revealed that 55% of Canadians feel less secure about their personal data protection compared to just a decade ago. How would you best explain this issue? What do you believe is the biggest factor that results in Canadians feeling insecure about their personal data being compromised?
Consumers expect businesses to keep their personal information safe. In today’s digital economy, new types of personal data are being created every day, such as output from medical devices, wearables, appliances, etc. This, in combination with traditional data such as credit card numbers and transactions, social insurance numbers, and data created via social media can create an incredibly revealing data footprint for every person.
Over the past decade, we’ve seen a staggering increase in the regularity and severity of data breaches, an expected consequence of this massive growth of data. It can be hard to find someone who hasn’t been impacted by one. In this climate, it’s no wonder more Canadians feel less secure about their data than just 10 years ago.
Our research found that while consumers accept the reality of data breaches, they take the issue very seriously. In fact, close to 23% would seek compensation and 24% would stop doing business with organizations who experienced a breach.
3. The tech industry is constantly evolving, and new discoveries are being made every day. What advice can you give to entrepreneurs so they can stay current with new IT discoveries that can help them better protect their business from data breaches?
Every entrepreneur I know is incredible at juggling multiple responsibilities. A business strategy, finance, marketing, operations – if you can name it, they can do it. It’s how they’re able to successfully turn their business ideas into reality.
At the same time, it’s always good to remind yourself that it’s okay to say, “I don’t know.” It’s impossible to be on top of everything in today’s fast-paced world, particularly when it comes to cyber threats and technology risks, and mistakes happen when you run into situations where you are not an expert. Data breaches can be devasting events for businesses of any size, but smaller operations led by entrepreneurs have fewer options for recovery. My advice to any entrepreneur worried about IT security is to not be afraid to engage outside help.
4. What do you believe is the biggest challenge that small business owners face when it comes to data privacy?
The biggest challenge small businesses face regarding data security is an apparent lack of resources compared to C-suites of larger companies. This can lead small business owners (SBOs) to prioritize other business needs they feel are more urgent.
The 2020 Data Protection Report illustrates this disconnect clearly, showing the number of C-suites implementing data privacy practices largely outweighs SBOs who do the same. In addition, SBOs are also the slowest to adopt additional online security measures or other protections, such as cyber insurance. While 70% of C-suites reported having a cyber insurance policy in place to protect against the financial fallout from data breaches, only 28% of SBOs reported the same.
These findings are concerning when research shows that small businesses are not immune from the threat of cybercrime and, in fact, maybe more at risk. Other studies have indicated that smaller organizations are more likely to be hit by email threats – including spam, phishing, and email malware – than larger organizations. It’s more important than ever for SBOs to begin prioritizing data security, or risk potential financial and reputational consequences.
5. On a final note, what advice can you give to entrepreneurs that can help them in protecting their data from cyberattacks? What are some of the initiatives they can implement to ensure their data privacy is protected?
The good news is there are a variety of initiatives entrepreneurs can take to create a more secure workforce and protect their company from a potential security breach. Below are a few key information security strategies you can begin implementing immediately to improve your company’s risk posture, which will help to increase employee and consumer trust in the process.
- Implement data protection practices. Having clear-cut guidelines for employees to follow on a daily basis, such as a Clean Desk Policy and a Remote Work Policy, reinforces good behavior and decreases the risk of employees falling victim to scams, such as phishing or malware. Make sure these policies are updated regularly and that employees are adhering to them.
- Make sure employee training is frequent and up to date. Don’t let training be an afterthought. Employee training and continuous reinforcement via awareness campaigns are critical for building and maintaining a strong culture of data protection within an organization.
- Prepare guidelines for secure storage and destruction of company documents when employees work remotely. Ensure employees have the necessary resources, such as access to a lockable storage cabinet to safely store their printed documents until they can be properly shredded by a National Association for Information Destruction (NAID) certified shredding service provider.
- Keep digital data and documents as secure as possible. Implement the proper infrastructure and tools to protect employees and access sensitive data, such as the use of VPNs to remotely access networks, encryption for information both in storage and transit, anti-virus, and anti-malware programs, etc.
- If you fail to plan, you are planning to fail. As technology threats evolve and become harder to combat, a data breach becomes almost inevitable and as a result, can happen to anyone. Embrace risk planning and develop response plans to help your company identify and remediate issues as quickly and efficiently as possible. This is key to limiting damage and maximizing recovery.