More than one-quarter of small businesses have never conducted an information security audit or reviewed processes on securing document destruction, according to a survey of 1,000 US small businesses conducted by Ipsos Reid for Shred-It.
In addition, 36% of small businesses have no policies in place for document storage or disposal, and 31% have never trained employees about information security.
Although 78.6% of respondents were aware of the legal requirements of storing, keeping, and disposing confidential data, 31.1% never trained staff on the company’s information security procedures and protocols, and 35.5% of companies have no protocol in place for storing and disposing confidential data.
“The thing that is most significant [in the survey] is probably the number of small businesses that don’t have any protocols in place for safeguarding their confidential information. Equally as shocking is the number of businesses who think they would not be harmed if they had a security breach”, Mike Skidmore, privacy and security officer at Shred-It, told Infosecurity.
At the same time, 24.3% of respondents had conducted a security audit and 30.2% had reviewed processes for securing document destruction in the past six months. When asked why they conducted information security audits, 67.3% said they did so to proactively protect their business from potential security gaps, while 30.8% conducted audits for compliances purposes.
While respondents said that keeping business information secure was important (96.2%) and having secure document destruction policies in place was important (90%), more than half said they did not offer secure document security facilities such as secure locked consoles.
Skidmore said that this gap in security practices may stem from the entrepreneurial nature of small businesses. “Most things are passed around in an oral tradition, rather than a written tradition. Information is imparted verbally, and companies don’t tend to have formal policies and procedures in place until that start to grow more”, he said.
“As people become more aware of the dangers of identity theft or confidential information falling into the wrong hands, people will certainly see how harmful that can be to their organization”, Skidmore added.
Shred-It offered the following advice to small businesses to improve their information and document security: make sure there are formal information security policies in place; train employees on the policies and follow them rigorously; eliminate potential risks by destroying all unneeded documents on a regular basis; conduct a periodic information security audit; physically destroy hard drives that contain information that is no longer needed by the business; and hire a reliable vendor that is well-informed and keeps the business compliant with pertinent legislation and training requirements.