Research commissioned by document destruction company Shred-it shows that over half (60%) of the small and medium-sized companies surveyed for the second annual Shred-it Security Tracker said they didn’t believe the loss or theft of data from their organisation would have any impact on their business, up 10% from the 2011 survey.
Over one third of SMEs (35%) admitted that they had no protocols in place for the storage and disposal of confidential data, while over three quarters of respondents (77%) either do not provide any training for employees on company information security procedures or do so only on an ad hoc basis.
The survey among 1,004 UK SMEs undertaken by IPSOS MORI also revealed that nearly a quarter (23%) admitted to being not very or not at all aware of the legal requirements for storing, keeping or disposing of confidential data in their industry. This, says Shred-it, compares poorly with businesses with more than 250 employees where 94% of those responding said they were aware in some form of the Data Protection Act.
“This year’s findings are particularly worrying, as they show SMEs becoming increasingly lax about information destruction as they just do not see any consequences for poor security procedures,” said Robert Guice, Shred-it’s executive vice president, EMEA.
“What we are seeing is a lack of awareness of the legal requirements, and complacency about the likelihood of being prosecuted and fined for breaching them, really coming through into a worrying lack of control over the way information is stored and disposed of by small and medium-sizes enterprises.”
The survey also found that nearly three out of every four SMEs (77%) could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. Nearly 13% of respondents do not know how their business disposes of old computers and other electronic devices and a further 14% recycle them with no attempt to remove or destroy the information kept on them.
BSIA response
Responding to the publication of the survey, Anthony Pearlgood, chairman of the BSIA’s information destruction section said:
“Organisations have a duty of care towards their clients and staff to make sure all sensitive information – whether stored on paper or electronic devices – is effectively disposed of. Dealing with identity fraud and theft can in fact be distressing and expensive for victims, as well as considerably damaging for the companies involved. It is therefore both surprising and concerning to find out the relaxed attitude that some SMEs are taking towards information destruction and data security issues.
“Changes to the EU Directive on Data Protection, a tougher stance by the Information Commissioner’s Office on data breaches and heightened press interest on this type of incident are all signs that the way data breaches are viewed by regulators and the public is changing, so complacency is not justified any longer.
“Putting confidential waste in the hands of effective and reputable information destruction providers is one of the most effective ways to protect companies against data breaches. To achieve this, establishing whether a security provider complies with EN15713, the European standard for the sector, is key. All BSIA members comply with the standards and incorporate it in their quality procedures.”
