August 31, 2015

Small Business Advice Week: How to Protect Your Organisation From Security Breaches

During Small Business Advice Week, it's a good time to review the evolving challenges facing SMEs and the safeguards you have in place to protect your organisation.

Research shows that the 4.5 million small businesses in the UK are increasingly at risk of data breaches.  One study found that in 2014 alone, 60% of small businesses experienced an online data breach.

So what are the reasons behind the growing threat, and what is the solution?

Shred-it's 2015 Security Tracker  found that while 88% of small organisations are aware of information security laws, they are at increased risk of a security breach because they haven’t kept pace with larger corporations’ processes and protocols on privacy protection. The consequences are increasingly serious with the average cost to a small business of its worst security breach doubling from 2012 to 2014, and now standing at £115,000. On average, 23,000 records are exposed every time a UK organisation suffers a data breach.   

One of the best ways an organisation can protect itself against a security breach is a comprehensive information security policy, which documents procedures for protecting physical and information technology assets.

While the policy should be concise, user-friendly, and aligned to legislation and regulatory frameworks, it must also be a fluid and evolving document that allows an organisation to keep up with trends in information security and changes in the threat landscape.

Here are some key actions that businesses should be focussing on to reduce risk:

  • Schedule regular updates of information security policies and procedures. The world of information security has changed so completely that any policy written more than two years ago is almost certainly irrelevant.
  • Provide leadership. Appoint an individual figurehead as well as a supporting committee to be responsible for managing data security procedures.
  • Conduct regular risk assessments. security risk assessment will help you identify areas that are vulnerable to a data breach.
  • Focus on mobile device security. The highly mobile workforce is here to stay. According to PwC's 2015 Global State of Information Security Survey, 54% of respondents say they have implemented a mobile security strategy, and 47% say they employ mobile-device management or mobile-application management solutions.
  • Support employee knowledge and understanding. PwC's recently released 2015 Information Security Breaches Survey found that 50% of the worst security breaches in the year were caused by inadvertent human error. Conversely, Shred-it's Security Tracker research found that 31% of SMEs don’t provide their staff with any training on the organisation’s information security procedures. Reduce risk and take action by creating a culture of security throughout the organisation, and provide on-going practical skills training.
  • Evaluate third parties. Breaches caused by third parties with trusted network access continue to rise. Our 2015 Security Tracker showed that 53% of small businesses don’t perform security checks when engaging a third-party supplier. Businesses of all sizes need to insist that third parties employ adequate security and privacy safeguards.
  • Integrate physical security practices too. Include a shred-all policy in your overall information security framework to ensure all documents are destroyed when no longer needed and avoid relying on individual employees to decide what should or shouldn't be shredded. Partner with a document shredding company that installs locked consoles in the workplace to keep confidential information safe prior to shredding, provides security-trained personnel to collect discarded documents for secure shredding, and issues a Certificate of Destruction after every shred.
  • Schedule hard drive destruction. Ensure that all obsolete technology and equipment (as well as e-media that is no longer needed), is fully destroyed so information cannot be recovered. Speak to your document destruction partner as they should be able to provide this service.

This DIY Security Risk Assessment is a handy place to begin reviewing your document security processes.  If you uncover any worrying gaps, get a second opinion from the experts today!