SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking enough preventative measures of confidential data, the UK’s largest information security firm has warned today.
New research from Shred-it reveals that SMEs are not taking enough care when managing and disposing of documents and hard drives. The data protection firm has urged larger businesses in the UK to help SMEs they work with to improve their information security measures in order to maintain the integrity of their supply chain.
“It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain,” warns Robert Guice, Vice President Shred-it EMEA.
According to the third annual Security Tracker survey, despite the threat of severe fines and reputational damage, SMEs still do not believe that a data breach would have a material impact on their business. This leads to them being 10 times less likely to have an information security system set up than is the case with larger businesses.
“SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency”, Mr Guice said. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe”.
The Shred-it survey showed that:
- 2 in every 5 large businesses prosecuted for a data breach have suffered losses of more than £500,000
- The average fine is approximately £150,000 – large enough for 30% of companies to have to lay off staff as a result.
“Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners” Mr Guice continued.
There is a worrying gap between the protocols in place between smaller and larger businesses. Whilst companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37 per cent of small businesses in the UK have no information security management system in place. Moreover, three in ten (28 per cent) small business owners have never provided any information security training to their employees.
Key findings regarding Dedicated Resources
Seventy seven per cent of larger businesses have an employee directly responsible for managing information security issues at management level (66 per cent) or board level (11 per cent) compared with less than half of SMEs (48 per cent). Furthermore, 95 per cent of large businesses have an employee devoted to data protection compared with only 53 per cent of small business owners, suggesting that larger businesses better understand the potential threat of data breaches and have put control systems in place accordingly.
The report also reveals:
- Only 39% of large business owners and only 4% of small business owners use a professional shredding service
- Large businesses (88 per cent) are more than twice as likely to be aware of the EU Data Protection Directive reforms as small businesses (43 per cent).
- Although the gap is closer, large businesses are still more likely to be aware of the UK Data Protection Act (92 per cent) than small business owners (72 per cent).
- With more information being stored in electronic form, it is equally worrying that less than one quarter of large (23 per cent) and small businesses (25 per cent) crush their electronic media – which means the vast majority of UK businesses are inadvertently putting themselves and their customers at risk.
- Businesses could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. Sixty seven per cent of large business and 49 per cent of small business owners wrongly think that degaussing or wiping a hard drive will remove confidential information kept on them.
Companies looking to put an information security policy and process in place are urged to apply for a free risk assessment service by a trained and background checked Shred-it representative. An online risk assessment survey is also available on the website. This will help you to determine how you are managing confidential information and the information destruction process. Having a system in place will better protect the overall business supply chain against the impact of a data security breach.