- Staff not trained on information security procedure and protocols
- More than ¾ firms not disposing of electronic storage devices properly
Small and medium-sized enterprises (SMEs) in the UK are not taking basic precautions to protect confidential data because they still do not believe that losing private information will have any impact on their business, according to new independent research commissioned by Shred-it, the UK’s leading document destruction company.
Despite the threat of crippling fines and severe reputation damage, over half (59.8%) of the small and medium-sized companies surveyed for the second annual Shred-it Security Tracker said they did not believe that the loss or theft of data from their organisation would any impact on their business, up a worrying 10 per cent from the 2011 survey.
“This years findings are particularly worrying, as they show SMEs becoming increasingly lax about information destruction as they just do not see any consequences for poor security procedures”, says Robert Guice, Executive Vice President, EMEA, Shred-it.
This lack of concern could be the reason why over one-third of SMEs (35.4%) admitted that they had no protocols in place for the storage and disposal of confidential data, over three quarters of our respondents (76.6%) either do not provide any training for employees on company information security procedures (26.6%), or do so only on an ad hoc basis (50%).
The survey among 1,004 UK SMEs, undertaken by IPSOS MORI, also revealed a possible reason for the sector’s lack of concern about information security. Nearly a quarter of SMEs(23.1%) admitted to being not very or not at all aware of the legal requirements for storing, keeping or disposing of confidential data in their industry. This compares poorly with businesses with more than 250 employees where 94% of those responding said they were aware in some form of the Data Protection Act.
“What we are seeing is a lack of awareness of the legal requirements, and complacency about the likelihood of being prosecuted and fined for breaching them, really coming through into a worrying lack of control over the way information is stored and disposed of by small and medium-sizes enterprises”, Robert Guice continued.
According to the Information Commissioners Office’s (ICO) annual report, there was a 21 per cent decrease in the number of data protection cases received between 2009 and 2011 and a 9 per cent decrease in the number of cases closed. This suggests that more needs to be done to combat data protection breaches by both the private and public sector in the UK.
The report also reveals:
- Nearly half of SMEs (46.4%) said they did not have anyone specifically responsible for managing data security issues
- 12.8 per cent of UK SMEs have no provision in place to shred sensitive documents
- 822 SMEs in our survey (81.9%) use an in-house shredding machine, but of those almost three quarters (72.2%) do not have anywhere secure to store documents before being shredded
- Just 5.4 per cent of SMEs use a professional shredding company compared to 43 per cent of larger firms (those with over 250 employees)
With more information being stored in electronic form, it is equally worrying that nearly three out of every four SMEs (77.4%) could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. Over ten per cent (12.8%) of respondents do not know how their business disposes of old computers and other electronic devices and a further 14.4 per cent simply recycle them with no attempt to remove or destroy the information kept on them.
Larger firms (with more than 250 employees) say that they are aware of the legal framework protecting sensitive and confidential information in this country with 94% of those responding to our survey saying they were aware of the UK Data Protection Act as enforced by the Information Commissioners Office. As a result nearly all have protocols in place to manage information securely and around half train their staff on these protocols at least once a year.
However, there is a worrying gap between the management discipline of putting people and protocols in place and actually making sure information is secure. For all the good intentions of the larger companies surveyed, 28% still do not provide any secure places for sensitive documents to be stored before being put through an in-house shredding machine and 78.9% admitted to not safely destroying electronically stored information on hard drives in PCs, laptops, USBs or smartphones.
For further information contact:
Weber Shandwick Financial
Phone: 020 7067 0206
Pooja Doll, Marketing, Shred-it
Phone: 00 44 208 232 6342
Notes to Editors:
About the survey:
Ipsos MORI is one of the largest and best known research companies in the UK and a key part of the Ipsos Group, a leading global research company. With a direct presence in 60 countries our clients benefit from specialist knowledge drawn from our five global practices: public affairs research, advertising testing and tracking, media evaluation, marketing research and consultancy, customer satisfaction and loyalty.
Ipsos Mori conducted a quantitative online survey of two distinct sample groups: 1004 Small business owners in UK (all of which have fewer than 100 employees), and 100 C-suite executives working for businesses in the UK with a minimum of 250 employees.
Data are unweighted as the sample universe is unknown and statistical margins of error are not applicable for non-probability samples. However, an unweighted probability sample of this size in each country would yield results that are considered accurate to within 3.1 percentage points, 19 times out of 20. The fieldwork was conducted between April 13th and 20th, 2012.
In the UK alone, Shred-it has 16 branches, employs over 400 people and operates 125 shredding trucks, providing the most secure and trustworthy information destruction services possible for its customers. Shred-it UK has customers which span the sectors, from government agencies to financial and legal institutions, taking each customer’s unique needs into account and bringing secure on-site document destruction services direct to their door, thus ensuring total confidentiality in security and shredding.
Shred-it is a world-leading document destruction company that ensure the security and integrity of our customers’ private information. The company operates more than 140 branches in 16 countries worldwide, servicing over 150,000 global, national and local businesses, including the world’s top intelligence and security agencies and more than 500 police forces, 1,500 hospitals, 8,500 bank branches and 1,200 universities and colleges.
Shred-it has branches in the following locations: Belfast, Dublin, Glasgow, Edinburgh, West Yorkshire, Chippenham, Essex - Waltham Abbey, Newcastle, Manchester, Birmingham, Milton Keynes, Portsmouth, Exeter, London - Stratford, London – Brentford, Nottingham and now Cardiff.