While c-suite executives have begun to prioritize information security by taking positive steps to invest in security policies and procedures, small business owners continue to fall significantly behind. This is the main finding of the fifth annual Shred-it Security Tracker information security survey, which is conducted by Ipsos Reid.
Marking a positive shift in behavior compared to previous years found that 63% of c-suite executives surveyed in the U.S. say they have a protocol for storing and disposing of confidential data that is strictly adhered to by all employees, up from 51% in 2014. However, small business owners saw little improvement, with 37% of those surveyed responding they don’t have any security protocols in place.
Large businesses also take the threat of additional regulatory penalties more seriously than small businesses. In fact, 64% of c-suite respondents stated they believe stricter penalties for not adhering to document destruction legislation would put pressure on their organizations to improve polices.
The average data breach costs U.S. organizations upwards of $195 per record lost1, and legislation violation fines can cost as much as $50,000 to $100,0002. While a larger organization may be better able to absorb a large penalty, for a small business, one breach could result in bankruptcy.
“Considering that c-suite executives are placing a greater priority on information security practices, small business owners need to examine their own policies to ensure they match those of their large scale counterparts,” said Sarah Koucky, Vice President, Security at Shred-it. “Online predators, inside sources, and fraudsters will continue to target businesses, and if the right policies and practices are not in place, small businesses will be the ones to fall victim.”
The security tracker also shows that even when they have protocols in place, small businesses are falling behind in auditing themselves. For example, only 27% of small business owners say they audit on a frequent basis, compared to 69% of c-suite execs who say the same. In fact, one quarter of small business owners never audit information security procedures and protocols.
These tips can help both small and large organizations safeguard their business information:
- Demonstrate a top-down commitment from management to the total security of your business and customer information;
- Implement formal information security policies; train your employees to know the policies well and follow them strictly;
- Eliminate potential risk by introducing a “shred-all” policy; remove the decision-making process regarding what is and isn’t confidential;
- Conduct a periodic information security audit;
- Introduce special locked containers instead of traditional recycling bins for disposing of confidential documents; and
- Don’t overlook hard drives on computers or photocopiers. Erasing hard drives does not mean data is destroyed. Physical hard drive destruction is proven to be the only 100% secure way to destroy data from hard drives.
1 Ponemon 2014 Cost of a Data Breach Study
2 American Medical Association – HIPAA Violations and Enforcement