May 31, 2016

UK businesses at serious risk of data breaches as cyber security is prioritised over physical data protection

London 31 May 2016 – UK companies are leaving themselves open to physical data theft as many divert their attention and resources to tackling other risks such as cyber crime, the UK’s largest information destruction company, Shred-it, has warned. 

Some 22 percent of C-suite executives (C-suites) and 40 percent of small and medium enterprise (SMEs) business owners perceive online threats as the biggest risk to their organisation in the next 5-10 years, according to Shred-it’s sixth annual Security Tracker research, conducted by the independent research body Ipsos. Yet this ignores the more immediate risk from loss of physical data, such as that found on paper and electronic storage devices, particularly as a third (32 percent) of C-Suites expect the volume of paper used in their organisation to increase over the next five years.

Despite businesses fearing online threats in the future, when asked what the most likely source of a data breach today would be, both C-Suites (27 percent) and SMEs (47 percent) cited internal human error rather than deliberate sabotage by an external source (C-Suites, 25 percent; SMEs, 23 percent). This further reinforces the risks faced by organisations if they do not prioritise physical data security among their employees.

This is particularly concerning as a third of SMEs (35 percent) have no policy in place for the storage and disposal of confidential data. Although almost all C-Suites do have such a policy in place, 28 percent say not all employees are aware of it. This demonstrates that while businesses are aware of the risk posed by having unsecured documents around the office, they aren’t taking the steps to address this.

The survey also identified that an increase in flexible working practices may be leaving the door open to potential security issues.  While almost all (97 percent) of C-suites and 55 percent of SMEs say their employees adopt flexible/offsite working models, only 41 percent of C-suites and 32 percent of SMEs have policies in place for both off-site working and working from home.

Robert Guice, Senior Vice President Shred-it EMEAA, said: “With recent information security narrative being focused on cyber crime, particularly in the wake of the high-profile Talk Talk breach and Panama papers leak, organisations simply aren’t focusing on the genuine threat posed by physical data. The paperless office is a myth but a dangerous one that is lulling UK businesses into a false sense of security. Without the right policies in place to protect confidential data in all its forms, particularly as flexible and off-site working increases, businesses are putting the personal and sensitive information of their customers, employees and partners at risk.”

The survey also highlighted the need for Government to take action and help educate organisations about their information security responsibilities with over a third of SMEs (33 percent) saying Government commitment to information security needed improvement and a further 12 percent deeming it abysmal, a similar figure to last year (32 percent ‘needs improvement; 11 percent ‘abysmal’). By contrast, over half of C-Suites said the Government’s response was mostly good but could be better, though 18 percent agreed it needed improvement or was abysmal.

Guice added, “That businesses still think the Government needs to do more around information security is of critical importance. If organisations are confused about their responsibilities now, they will struggle in the future, especially with changes in legislation expected at a European level over the next two years. We need to work together – Government, information security experts and UK businesses – to ensure that all data is fully protected.”

The report also reveals:

  • 38 percent of C-suite executives and 37 percent of SMEs indicate they destroy confidential information stored on electronic devices by wiping or degaussing them in-house, whereas only 12 percent of SMEs use a professional destruction service to physically dispose of these types of devices, compared to 31 percent of C-suites. Simply deleting the information on hard drives does not mean that the information has been removed; this can only be ensured by physically destroying the hard drive.
  • Furthermore, while C-suites (49 percent) and SMEs (47 percent) are equally likely to dispose of confidential paper documents every month or more frequently, over half of UK businesses are waiting more than a month to destroy sensitive data.  This is a concern for both businesses and consumers as most organisations hold vast amounts of data, which are apparently not being regularly disposed of when no longer required.

These results highlight that further education is required to ensure businesses are aware of the effects of both cyber security and physical data risks, and that they must continually review their protocols to meet the evolving and changing nature of the modern workplace to ensure that both are treated with equal importance.
Notes to editors

About the survey:

Ipsos is one of the largest and best known research companies in the world. With a direct presence in 60 countries its clients benefit from specialist knowledge drawn from five global practices: public affairs research, advertising testing and tracking, media evaluation, marketing research and consultancy, customer satisfaction and loyalty.

Ipsos conducted a quantitative online survey of two distinct sample groups: small business owners in the United Kingdom (n=1,002), and C-Suite Executives working for businesses in the United Kingdom with a minimum of 250 employees (n=101). The precision of Ipsos online surveys are calculated via a credibility interval.  In this case, the UK SBO sample is considered accurate to within +/- 3.5 percentage points had small business owners been surveyed, and the UK C-Suite sample is accurate to within +/- 11.2 percentage points had all C-Suites in been surveyed. The fieldwork was conducted between March 16 and March 23, 2016.
Every year, Shred-it develops the State of the Industry Report to highlight common Information Security trends and emerging challenges based on the Security Tracker’s key findings. Now in its fifth year, this report provides comprehensive insights and tips on how businesses can protect and mitigate risks when it comes to information security. Download the current report to learn more about information security trends, as well as ways in which businesses, large and small, can protect their data.

About Shred-it
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients' private information. A wholly-owned subsidiary of the US based professional services company Stericycle, Shred-it operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit