• Staff not trained on information security procedure and protocols
  • More than ¾ firms not disposing of electronic storage devices properly

Small and medium-sized enterprises (SMEs) in the UK are not taking basic precautions to protect confidential data because they still do not believe that losing private information will have any impact on their business, according to new independent research commissioned by Shred-it, the UK’s leading document destruction company.


Despite the threat of crippling fines and severe reputation damage, over half (59.8%) of the small and medium-sized companies surveyed for the second annual Shred-it Security Tracker said they did not believe that the loss or theft of data from their organisation would any impact on their business, up a worrying 10 per cent from the 2011 survey.


“This years findings are particularly worrying, as they show SMEs becoming increasingly lax about information destruction as they just do not see any consequences for poor security procedures”, says Robert Guice, Executive Vice President, EMEA, Shred-it. 


This lack of concern could be the reason why over one-third of SMEs (35.4%) admitted that they had no protocols in place for the storage and disposal of confidential data, over three quarters of our respondents (76.6%) either do not provide any training for employees on company information security procedures (26.6%), or do so only on an ad hoc basis (50%).


The survey among 1,004 UK SMEs, undertaken by IPSOS MORI, also revealed a possible reason for the sector’s lack of concern about information security.  Nearly a quarter of SMEs (23.1%) admitted to being not very or not at all aware of the legal requirements for storing, keeping or disposing of confidential data in their industry.  This compares poorly with businesses with more than 250 employees where 94% of those responding said they were aware in some form of the Data Protection Act.


“What we are seeing is a lack of awareness of the legal requirements, and complacency about the likelihood of being prosecuted and fined for breaching them, really coming through into a worrying lack of control over the way information is stored and disposed of by small and medium-sizes enterprises”, Robert Guice continued.


According to the Information Commissioners Office’s (ICO) annual report, there was a 21 per cent decrease in the number of data protection cases received between 2009 and 2011 and a 9 per cent decrease in the number of cases closed. This suggests that more needs to be done to combat data protection breaches by both the private and public sector in the UK.


The report also reveals:


  • Nearly half of SMEs (46.4%) said they did not have anyone specifically responsible for managing data security issues
  • 12.8 per cent of UK SMEs have no provision in place to shred sensitive documents
  • 822 SMEs in our survey (81.9%) use an in-house shredding machine, but of those  almost three quarters (72.2%) do not have anywhere secure to store documents before being shredded
  • Just 5.4 per cent of SMEs use a professional shredding company compared to 43 per cent of larger firms (those with over 250 employees)


Electronic storage


With more information being stored in electronic form, it is equally worrying that nearly three out of every four SMEs (77.4%) could be giving away private information to fraudsters by not properly disposing of or destroying hard drives.  Over ten per cent (12.8%) of respondents do not know how their business disposes of old computers and other electronic devices and a further 14.4 per

cent simply recycle them with no attempt to remove or destroy the information kept on them.


Beyond SMEs


Larger firms (with more than 250 employees) say that they are aware of the legal framework protecting sensitive and confidential information in this country with 94% of those responding to our survey saying they were aware of the UK Data Protection Act as enforced by the Information Commissioners Office.  As a result nearly all have protocols in place to manage information securely and around half train their staff on these protocols at least once a year.


However, there is a worrying gap between the management discipline of putting people and protocols in place and actually making sure information is secure.  For all the good intentions of the larger companies surveyed, 28% still do not provide any secure places for sensitive documents to be stored before being put through an in-house shredding machine and 78.9% admitted to not safely destroying electronically stored information on hard drives in PCs, laptops, USBs or smartphones.