Survey shows inadequate disposal of hardware putting SMEs at risk
Continued ambivalence towards data protection laws in the UK
Information security policies are in place but more audits needed
London 8 July 2014: Businesses in the UK are putting customers and employees’ confidential information at risk by not correctly disposing of electronically-stored information, the UK’s largest secure information destruction firm has warned today.
New research from Shred-it reveals that a third of SMEs (32%) say they have never disposed of redundant electronic devices containing confidential information, while a further 35% do it less than once a year. Additionally, despite recent high-profile cyber security breaches at major firms based in the UK, more than half (51%) do not have a cyber-security policy implemented in the workplace.
The information destruction firm calls on all businesses in the UK to consider the risks posed by inadequate disposal of electronic storage devices, which could lead to fines of up to £500,000 being imposed by the Information Commissioner’s Office (ICO), as well as significant reputational damage following a breach.
“Technology is moving quickly and businesses in the UK need to keep up with this threat to their information security from electronic equipment such as laptops, hard drives and USBs. Unused or old equipment left sitting in offices offers a goldmine of sensitive information for data thieves. Companies need to seriously consider the damage to reputation if client or employee data is exposed,” warns Robert Guice, Executive Vice President Shred-it EMEA.
According to the fourth annual Security Tracker survey, which examined both electronic and paper-based information, even though more SMEs are starting to realise that a data breach would have some impact on their business, fewer than half (46%) could correctly identify the potential financial penalty for breaching the Data Protection Act. Additionally, a fifth of them (21%) also believe they possess no documents that would cause their business harm if stolen, despite the vast array of commonly-held information that should be treated as confidential - from employee records to client invoices.
Ambivalence towards data protection regulation
This survey found that the lack of knowledge regarding what constitutes sensitive data also translates to ambivalence towards data protection regulation. Two in five SMEs (41%) and their larger counterparts (42%) say they don’t know if they would encourage stricter data protection laws in the UK even though this would help protect the confidential information of their clients and employees. Tellingly, a third of SME business owners (31%) say that the UK government’s commitment to information security needs improvement.
“Laws are in place to take care of sensitive information therefore it’s a worrying trend that knowledge of this regulation is not increasing. SMEs in particular feel the Government needs to do more to educate and inform on this important topic. We call on the Government to place more emphasis on this to help put information security at the top of the agenda,” said Mr Guice.
Key findings on the effectiveness of policies
While more SMEs (68% up from 60% in 2013) are saying they have some sort of existing protocol for storing or disposing of confidential data, 14% still do not know if one exists within their company. Furthermore, a quarter of SME business owners (24%) have never conducted an audit of their information security procedures and protocols to see if they are working effectively, highlighting potential security risks from inadequate policies.
Additionally, while two in five SMEs (40%) have a policy for off-site work and working from home, a similar number (37%) have no policy in place for either, which is a worrying trend given flexible working is becoming more common, particularly around school holiday periods.
The report also reveals:
SMEs are four times as likely in 2014 to have a secure document disposal console in-office and to have sensitive documents shredded by professional services, and are less likely to shred via an in-house shredding machine.
However, more than three-quarters of SMEs have either a recycling or waste bin at employees’ workspace, which opens up potential for disposing of confidential information in the wrong place.