Could Employee Error Cause a Security Breach
Nearly a quarter of SME business owners in the UK say that human error, such as leaving sensitive information on desks or disposing of confidential documents in an unsecured bin, poses the biggest security risk to their organisation. Despite this, 27% don’t even have an information security policy or protocols in place, according to Shred-it’s 2015 Security Tracker survey. A third of those that do have policies in place admit to never training their employees on these protocols.
So even though UK businesses are worried that their employees could cause their business harm – and by accident! – they aren’t doing enough to make sure that a data breach doesn’t happen. That’s worrying, especially since a study by the Ponemon Institute found that human error is one of the main causes of a security breach.
Why is there a disconnect between fearing human error and putting in place measures, such as information security training, to ensure that employees are aware of the risks? Part of the reason is that many small business owners are unaware of what constitutes confidential data. Shred-it's study found that a third of SME owners said that they possess no information that would cause their business harm if stolen. However every business in the UK holds sensitive data – from payslips to meeting agendas and employee or client records – that could lead to damaging financial, legal and reputational repercussions. If you don't know what to shred then how can you protect yourself against a breach?
Since April 2010, the Information Commissioner’s Office (ICO) has issued over £7 million worth of fines to organisations that have experienced data breaches. 'I didn't know that was considered confidential!' doesn't help your case if a data breach occurs! As well as the potential fine, the organisational cost of a data breach can be crippling for an SME. A recent study found that the average cost of a small business' worst data breach ranged from £75,000 to £311,000. Investing in information security training is crucial to ensuring that your workplace is safe and helping prevent irreversible financial damage.
Unlike small business owners, C-Suite executives (senior executives in larger companies with more than 250 employees) said they are much more likely to train their staff on information security protocols, with 36% of C-Suite executives providing frequent data security training (twice a year or more frequently) compared to only 11% of SME owners, according to the Security Tracker. This regular data security training highlights that large businesses are more aware than their SME counterparts when it comes to identifying and preventing data security risks and avoiding financial penalties in the process.
There are ways that you can protect your business and your staff – and training is an important part of this. Our five tips below will help you to ensure that your employees know what to look for when spotting data security risks in the workplace.
- Schedule regular information security audits to identify problem areas – and solutions
- Introduce a shred-all policy, which means all documents are destroyed prior to disposal or recycling
- Keep an inventory of all information that needs to be protected
- Schedule on-going information security training so employees understand best practices for protecting confidential information – in and out of the workplace
- Ensure employees are informed about the risks associated with data protection breaches and are well trained on what information is confidential and how to dispose of electronic data
Listen to Shred-it's Robert Guice talk about the issues and misconceptions that small businesses have when it comes to information security in this BBC radio interview and find out how you can prevent risks with document destruction services.