UK companies are leaving themselves open to physical data theft as many divert their attention and resources to tackling other risks such as cyber crime, the UK’s largest information destruction company, Shred-it, has warned.  

Some 22 percent of C-suite executives (C-suites) and 40 percent of small and medium enterprise (SMEs) business owners perceive online threats as the biggest risk to their organisation in the next 5-10 years, according to Shred-it’s sixth annual Security Tracker research, conducted by the independent research body Ipsos. Yet this ignores the more immediate risk from loss of physical data, such as that found on paper and electronic storage devices, particularly as a third (32 percent) of C-Suites expect the volume of paper used in their organisation to increase over the next five years.

Despite businesses fearing online threats in the future, when asked what the most likely source of a data breach today would be, both C-Suites (27 percent) and SMEs (47 percent) cited internal human error rather than deliberate sabotage by an external source (C-Suites, 25 percent; SMEs, 23 percent). This further reinforces the risks faced by organisations if they do not prioritise physical data security among their employees.

This is particularly concerning as a third of SMEs (35 percent) have no policy in place for the storage and disposal of confidential data. Although almost all C-Suites do have such a policy in place, 28 percent say not all employees are aware of it. This demonstrates that while businesses are aware of the risk posed by having unsecured documents around the office, they aren’t taking the steps to address this. The survey also identified that an increase in flexible working practices may be leaving the door open to potential security issues.  While almost all (97 percent) of C-suites and 55 percent of SMEs say their employees adopt flexible/offsite working models, only 41 percent of C-suites and 32 percent of SMEs have policies in place for both off-site working and working from home.

Robert Guice, Senior Vice President Shred-it EMEAA, said: “With recent information security narrative being focused on cyber crime, particularly in the wake of the high-profile Talk Talk breach and Panama papers leak, organisations simply aren’t focusing on the genuine threat posed by physical data. The paperless office is a myth but a dangerous one that is lulling UK businesses into a false sense of security. Without the right policies in place to protect confidential data in all its forms, particularly as flexible and off-site working increases, businesses are putting the personal and sensitive information of their customers, employees and partners at risk.”

The survey also highlighted the need for Government to take action and help educate organisations about their information security responsibilities with over a third of SMEs (33 percent) saying Government commitment to information security needed improvement and a further 12 percent deeming it abysmal, a similar figure to last year (32 percent ‘needs improvement; 11 percent ‘abysmal’). By contrast, over half of C-Suites said the Government’s response was mostly good but could be better, though 18 percent agreed it needed improvement or was abysmal.

Guice added, “That businesses still think the Government needs to do more around information security is of critical importance. If organisations are confused about their responsibilities now, they will struggle in the future, especially with changes in legislation expected at a European level over the next two years. We need to work together – Government, information security experts and UK businesses – to ensure that all data is fully protected.”

The report also reveals: 38 percent of C-suite executives and 37 percent of SMEs indicate they destroy confidential information stored on electronic devices by wiping or degaussing them in-house, whereas only 12 percent of SMEs use a professional destruction service to physically dispose of these types of devices, compared to 31 percent of C-suites. Simply deleting the information on hard drives does not mean that the information has been removed; this can only be ensured by physically destroying the hard drive.

Furthermore, while C-suites (49 percent) and SMEs (47 percent) are equally likely to dispose of confidential paper documents every month or more frequently, over half of UK businesses are waiting more than a month to destroy sensitive data.  This is a concern for both businesses and consumers as most organisations hold vast amounts of data, which are apparently not being regularly disposed of when no longer required.

These results highlight that further education is required to ensure businesses are aware of the effects of both cyber security and physical data risks, and that they must continually review their protocols to meet the evolving and changing nature of the modern workplace to ensure that both are treated with equal importance.