Human error biggest security risk for a quarter of UK’s SMEs. Third of small business owners unaware of what constitutes confidential information. Over a quarter of SMEs have no information security protocols or training in place.
SMEs in the UK are failing to train staff on how to correctly identify and dispose of confidential information which could lead to a costly data breach, warns the UK’s leading information destruction experts, Shred-it.A Shred-it survey conducted by Ipsos MORI found that although 24% of SME owners claim that human error, such as leaving sensitive information on desks, poses the biggest security risk to their organisation, more than a quarter (27%) do not have information security policies and procedures in place. A third of those who do, admit to never training their employees on these protocols.
Even more concerning is the fact that a third (32%) of small business owners are unaware of what constitutes confidential data, saying that they possess no information that would cause their business harm if stolen. However every business in the UK holds confidential data – from payslips to meeting agendas and employee or client records – that could lead to damaging financial, legal and reputational repercussions. “Employee error is understandably a big concern for UK small business owners. Leaving documents on a desk or throwing a payslip in the bin could pose a huge risk to an organisation. But how can business owners expect their staff to understand how to deal with confidential information if they can’t even identify what is confidential?’ said Robert Guice, Executive Vice President, Shred-it EMEA. He added, “Small businesses need to step up and take responsibility for ensuring that everyone in their organisation is aware of the sensitive data they hold. Putting in place protocols on how to deal with confidential information, or even adopting a ‘shred-all’ policy that all staff are aware of, is essential for SMEs to protect their businesses.”
Since April 2010, the Information Commissioner’s Office (ICO) has issued over £7 million worth of fines to organisations that have experienced data breaches. This is costing businesses millions of pounds; but despite such high figures, SMEs are still not doing enough to safeguard themselves against breaches from within their organisation. Investing in workplace training is key to ensuring that SMEs do not suffer costly fines which could cause irreversible financial damage.
Unlike SME owners, C-Suite executives are much more likely to train their staff on information security protocols, with 36% of C-Suite executives providing frequent data security training (twice a year or more frequently) compared to only 11% of SME owners. This regular data security training highlights that large businesses are more prepared and aware than their SME counterparts when it comes to preventing and identifying data security risks and avoiding financial penalties in the process. Shred-it is calling on SME owners to implement workplace training for all employees to eliminate the risk of a data breach. This will ensure staff at every level are adequately trained on the importance of data security and able to spot and prevent potential human error-related slip-ups before a data security breach occurs.
Five tips to help you spot a data security error before it happens!
To ensure that employees know what to look for when spotting data security risks in the workplace, Shred-it advises small business owners to follow these tips:
Schedule regular information security audits to identify problem areas – and solutions. Introduce a shred-all policy, which means all documents are destroyed prior to disposal or recycling. Keep an inventory of all information that needs to be protected. Schedule on-going training so employees understand best practices for protecting confidential information – in and out of the workplace. Ensure employees are informed about the risks associated with data protection breaches and are well trained on which documents they should consider shredding and how to dispose of electronic data.