SMEs and the Risks of Data Breaches

Posted: September 29, 2015

  • Human error biggest security risk for a quarter of UK’s SMEs
  • Third of small business owners unaware of what constitutes confidential information
  • Over a quarter of SMEs have no information security protocols or training in place

29 September 2015 – Small businesses in the UK are failing to train staff on how to correctly identify and dispose of confidential information which could lead to a costly data breach, warns the UK’s leading information destruction experts, Shred-it.

A Shred-it survey conducted by Ipsos MORI found that although 24% of SME owners claim that human error, such as leaving sensitive information on desks, poses the biggest security risk to their organisation, more than a quarter (27%) do not have information security policies and procedures in place. A third of those who do, admit to never training their employees on these protocols.

Even more concerning is the fact that a third (32%) of small business owners are unaware of what constitutes confidential data, saying that they possess no information that would cause their business harm if stolen. However every business in the UK holds confidential data – from payslips to meeting agendas and employee or client records – that could lead to damaging financial, legal and reputational repercussions.

“Employee error is understandably a big concern for UK small business owners. Leaving documents on a desk or throwing a payslip in the bin could pose a huge risk to an organisation. But how can business owners expect their staff to understand how to deal with confidential information if they can’t even identify what is confidential?’ said Robert Guice, Executive Vice President, Shred-it EMEA. 

He added, “Small businesses need to step up and take responsibility for ensuring that everyone in their organisation is aware of the sensitive data they hold. Putting in place protocols on how to deal with confidential information, or even adopting a ‘shred-all’ policy that all staff are aware of, is essential for SMEs to protect their businesses.

Since April 2010, the Information Commissioner’s Office (ICO) has issued over £7 million worth of fines to organisations that have experienced data breaches. This is costing businesses millions of pounds; but despite such high figures, SMEs are still not doing enough to safeguard themselves against breaches from within their organisation. Investing in workplace training is key to ensuring that SMEs do not suffer costly fines which could cause irreversible financial damage.

Unlike SME owners, C-Suite executives are much more likely to train their staff on information security protocols, with 36% of C-Suite executives providing frequent data security training (twice a year or more frequently) compared to only 11% of SME owners. This regular data security training highlights that large businesses are more prepared and aware than their SME counterparts when it comes to preventing and identifying data security risks and avoiding financial penalties in the process.

Shred-it is calling on SME owners to implement workplace training for all employees to eliminate the risk of a data breach. This will ensure staff at every level are adequately trained on the importance of data security and able to spot and prevent potential human error-related slip-ups before a data security breach occurs.

Five tips to help you spot a data security error before it happens!

To ensure that employees know what to look for when spotting data security risks in the workplace, Shred-it advises small business owners to follow these tips:

  • Schedule regular information security audits to identify problem areas – and solutions
  • Introduce a shred-all policy, which means all documents are destroyed prior to disposal or recycling
  • Keep an inventory of all information that needs to be protected
  • Schedule on-going training so employees understand best practices for protecting confidential information – in and out of the workplace
  • Ensure employees are informed about the risks associated with data protection breaches and are well trained on which documents they should consider shredding and how to dispose of electronic data

Read more about which documents should be shredded and how to dispose of electronic data on Shred-it’s resource centre.


Notes to editors

About the survey:
Ipsos MORI is one of the largest and best known research companies in the UK and a key part of the Ipsos Group, a leading global research company. With a direct presence in 60 countries our clients benefit from specialist knowledge drawn from our five global practices: public affairs research, advertising testing and tracking, media evaluation, marketing research and consultancy, customer satisfaction and loyalty.

Ipsos Mori conducted a quantitative online survey of two distinct sample groups: Small business owners in UK (all of which have fewer than 100 employees), and 102 C-suite executives working for businesses in the UK with a minimum of 250 employees.

The fieldwork was conducted between 20 April and 3 May 2015

About Shred-it
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients' private information. The company operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit

For further information contact:

Sophie Longley
Weber Shandwick
Phone: (0)20 7067 0258

Request a Quote

Fill out the form or call 0800 197 1164 to start protecting your business today!

Select Service

Company info

Your info

Additional Info