Small firms lax about confidential document handling, disposal

More than one-third of small business owners surveyed did not have policies in place for protecting, storing, and disposing of confidential data, and 28% said that their company had never trained staff on information security procedures and protocols. Ipsos Reid polled 1,136 small business owners and 100 C-level executives working for companies with a minimum of 500 employees in the US.

These results are similar to last year’s survey, which found that 36% of small businesses did not have policies in place, and 31% have never trained employees about information security.

“In spite of all the publicity around security breaches, small businesses still haven’t received the message that they need to protect their confidential information”, said Mike Skidmore, privacy and security officer for Shred-it.

“Security breaches involving small businesses are on the rise….We need to ensure that small businesses become more focused on securing their confidential information”, Skidmore told Infosecurity.

The survey polled both large and small organizations. A full 95% of C-level executives at large organizations are aware of the legal requirements of storing, keeping, and disposing of confidential documents, compared to only 77% of small business owners.

“Big companies have awareness and resources to manage security procedures in their organization. Most large organizations are covered by some type of legislation”, Skidmore commented.

“It’s important to raise the awareness of small businesses about instructing all their people to safely and securely handle confidential information”, he added.

The survey found that 61% of C-level respondents have a management-level employee responsible for managing the company’s data security issues, whereas close to half of small business do not have anyone directly responsible for mitigating risks.

One-third of C-level respondents said that lost or stolen data would result in severe financial impact and would harm their credibility as a business, while the majority of small business owners said that lost or stolen data would not seriously impact their business. Compared with the 2011 survey, small businesses were less concerned – 14% in 2012 compared to 21% in 2011 – that stolen data would have a severe financial impact and harm its credibility.

In addition, half of small businesses do not have secure locked consoles to house sensitive materials and use in-office shredding vs. a professional shredding service.

Skidmore recommended that small businesses appoint a person to oversee how confidential information is handled, hire a security company to handle document disposal and train staff, and institute a policy of shredding all confidential documents and destroying electronic information when no longer needed.

What’s hot on Infosecurity Magazine?