The big picture that emerges, according to a recent study conducted by Ipsos Reid on behalf of Shred-it, is that small businesses don’t fully comprehend the impact that a data breach could have and as a result, are not safeguarding sensitive information as thoroughly as they should. In fact, a surprising number of small businesses (69%) are not aware or don't believe data being lost or stolen would result in financial impact and harm to their businesses credibility.
"We’re urging companies to be vigilant when it comes to information security," said Mike Skidmore, privacy and security officer at Shred-it, in a statement. "We have seen a consistent increase in small businesses without security protocols in place and a crucial first step for practicing effective information security is improving awareness of policies and procedures. Organizations face a lot of risks, but enforcing sensitive data safeguarding as a company-wide practice will potentially avert both significant financial and reputational damage."
Researchers found that many US small businesses are taking a passive approach when it comes to protecting their data, leaving themselves vulnerable to data loss and possible financial and reputational damage.
A full 40% of small business owners have no protocols in place for securing data, which is a 5% increase from last year’s study on the subject. More than a third of small businesses report that they never train staff on information security procedures. And, almost half (48%) have no one directly responsible for management of data security.
Only 18% would encourage new data privacy legislation requiring stricter compliance and penalties to information security threats.
Shred-it recommends a thorough analysis of possible security gaps in one's organization, and within the supply chain, along with the implementation of ongoing risk analysis processes. Businesses should also create a policy specifically designed to limit exposure to fraud and data breaches, and regularly train employees in proper document management and encourage their adoption of security best practices.
And of course, they should have up-to-date and effective computer network protection, including anti-virus software and a firewall.
Small businesses may be the overwhelmingly in the dark about security risks, but it should be noted that businesses of all sizes make that mistake. The 2013 Shred-it Security Tracker found that more C-suite executives (12%) reported financial losses of more than $500,000 due to data breaches this year than in previous years; yet, 23% of the executives surveyed do not believe a data breach will impact their business. At the same time, while awareness of legal requirements among C-suite executives was up 4% from 2012, only 16% report training employees on protocol twice a year, down 11% from 2012.