66% of all UK data breaches come from small companies
Small businesses across the UK could now be fined up to £500,000 in the event of a data security breach as new powers for the Information Commissioner’s Office (ICO) come into force today.
Under the new rules, the ICO will be able to fine businesses up to £500,000, equivalent to 10 per cent of the highest annual turnover of a small company, if they lose individuals' confidential data. Previously the ICO had the power to fine just £5,000 for serious breaches of the Data Protection Act, but these new measures are expected to act as an effective deterrent to improve data security within the UK economy.
Today, leading information destruction company Shred-it welcomes these new powers as a sign of progress for UK data protection but warns that as fraud persists1, small businesses must be vigilant as they are often the most vulnerable targets for information thieves.
Robert Guice, Executive Vice President of Shred-it, said: “With fraud on the rise, information security is more important than ever for businesses looking to protect their financial standing and corporate reputation. These new measures are a positive step forward for small businesses in the UK who protect their employees’ and clients’ confidential information through good management practises. Small businesses who neglect the need for good and robust management of their confidential data will now pay a high price”
“Small businesses in particular make easy targets for data theft. While larger companies have resources dedicated to protecting the security of their data, small businesses don't always have the means or knowledge needed to effectively manage the threat.”
In January, information security and forensic computing company 7Safe released its UK Security Breach Investigations Report 2010, which revealed that the majority (66 per cent) of data security breaches that occurred in the UK over the past 18 months came from small companies employing less than 100 people. According to the research, 80 percent of attacks on data came from sources external to the organisation, while 18 per cent came from business partners.
Robert Guice continued: “Without doubt, data breaches affect businesses of all sizes, but many small business owners simply aren’t taking the necessary steps to create ongoing data security policies and practices, including training their employees.”
“Small firms must make employee education a top priority to help avoid unnecessary data breaches occurring as a result of human error. Invoices, company reports, payroll data, customer lists and even customer complaints are all highly confidential and need to be destroyed or securely stored. Setting out clear guidelines for employees as to which documents should be seen as confidential, will prevent leaks of this kind from occurring.”
Robert Guice added: “In the longer term, strengthening online security and implementing a secure document destruction programme are the safest ways to ensure all sensitive corporate information is secure, therefore avoiding data security breaches, and of course the fines which may result.”
For small businesses looking to protect themselves and their customers against fraud, Shred-it offers the following guidance:
- Ensure all employees clearly understand the consequences to the business if a data breach were to take place
- Implement and communicate a policy that includes the secure destruction of all company and customer data (a shred all policy)
- Confidential material exists in all parts of the business and includes payroll, client lists, invoices, and complaint letters. The simplest way to determine what is confidential and not confidential is to destroy everything related to the company, its employees and customers
- Ensure that all employees are suitably background checked
- Only collect essential data from customers and ensure that customers give their explicit consent for this data to be collected
- Limit access to confidential data by handling this information on a ‘need to know’ basis and keeping a record of which individuals have access to confidential information
- Consider fitting locks, alarms and CCTV cameras where appropriate in areas where confidential information is stored