Larger businesses urged to partner with and mentor SMEs in their supply chain
London 18 June 2013: SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking enough preventative measures of confidential data, the UK’s largest information security firm has warned today.
New research from Shred-it reveals that SMEs are not taking enough care when managing and disposing of documents and hard drives. The data protection firm has urged larger businesses in the UK to help SMEs they work with to improve their information security measures in order to maintain the integrity of their supply chain.
“It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain,” warns Robert Guice, Vice President Shred-it EMEA.
According to the third annual Security Tracker survey, despite the threat of severe fines and reputational damage, SMEs still do not believe that a data breach would have a material impact on their business. This leads to them being 10 times less likely to have an information security system set up than is the case with larger businesses.
“SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency”, Mr Guice said. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe”.
The Shred-it survey showed that:
• 2 in every 5 large businesses suffering a data breach have suffered losses of more than £500,000
• The average fine is approximately £150,000 – large enough for 30% of companies to have to lay off staff as a result1.
“Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners” Mr Guice continued.
There is a worrying gap between the protocols in place between smaller and larger businesses. Whilst companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37 per cent of small businesses in the UK have no information security management system in place. Moreover, three in ten (28 per cent) small business owners have never provided any information security training to their employees.
Key findings regarding Dedicated Resources
Seventy seven per cent of larger businesses have an employee directly responsible for managing information security issues at management level (66 per cent) or board level (11 per cent) compared with less than half of SMEs (48 per cent). Furthermore, 95 per cent of large businesses have an employee devoted to data protection compared with only 53 per cent of small business owners, suggesting that larger businesses better understand the potential threat of data breaches and have put control systems in place accordingly.
The report also reveals:
• Only one in three (33%) of senior business executives and just 4% of small business owners admitted they employed the services of a professional shredding service
• Large businesses (88 per cent) are more than twice as likely to be aware of the EU Data Protection Directive reforms as small businesses (43 per cent).
• Although the gap is closer, large businesses are still more likely to be aware of the UK Data Protection Act (92 per cent) than small business owners (72 per cent).
• With more information being stored in electronic form, it is equally worrying that less than one quarter of large (23 per cent) and small businesses (25 per cent) crush their electronic media – which means the vast majority of UK businesses are inadvertently putting themselves and their customers at risk.
• Businesses could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. Sixty seven per cent of large business and 49 per cent of small business owners wrongly think that degaussing or wiping a hard drive will remove confidential information kept on them.
Companies looking to put an information security policy and process in place are urged to apply for a free risk assessment service by a trained and background checked Shred-it representative. An online risk assessment survey is also available on the website. This will help you to determine how you are managing confidential information and the information destruction process. Having a system in place will better protect the overall business supply chain against the impact of a data security breach.
Notes to Editors
About the survey:
Ipsos MORI is one of the largest and best known research companies in the UK and a key part of the Ipsos Group, a leading global research company. With a direct presence in 60 countries our clients benefit from specialist knowledge drawn from our five global practices: public affairs research, advertising testing and tracking, media evaluation, marketing research and consultancy, customer satisfaction and loyalty.
Ipsos Mori conducted a quantitative online survey of two distinct sample groups: 1,005 Small business owners in UK (all of which have fewer than 100 employees), and 100 C-suite executives working for businesses in the UK with a minimum of 250 employees.
The fieldwork was conducted 16 – 23 April 2013.
For further information contact:
Phone: 020 7067 0349
Shred-it is a world-leading information security company providing document destruction services that ensure the security and integrity of our clients' private information. The company operates 140 service locations in 16 countries worldwide, servicing more than 150,000 global, national and local businesses, including the world's top intelligence and security agencies, more than 500 police forces, 1,500 hospitals, 8,500 bank branches and 1,200 universities and colleges.
Shred-it has branches in the following UK locations: Belfast, Glasgow, Edinburgh, West Yorkshire, Chippenham, Waltham Abbey, Newcastle, Manchester, Birmingham, Milton Keynes, Portsmouth, Exeter, Stratford (London), Brentford, Nottingham, Cardiff and also has a branch in Dublin.