Security policies are worthless without buy-in from employees or suppliers and legislation has many small businesses in the dark, a data security survey has found.
Australian small to medium businesses (SMBs) are at risk with their approach towards disposing of confidential information. Indeed, as Shred-it’s general manager (Australia) Eric Konicki puts it: “What I’m finding not in just Australia alone, but on a global scale is that large companies have lots of resources and awareness, but small companies are just focused on running their business and thus they don’t have the time to think if their security protocol is really secure. Some allocate resources to facilities managers to handle this. And some consider information disposal as a waste stream. Now, how this is important to facilities managers is that they need to understand their liability to make sure the security company they choose follows the proper security procedures. An audit is very important, and available consultancy services area also a priority. Because security policies are worthless without buy-in from employees or suppliers.”
The inaugural Australian Shred-it 2015 Security Tracker, which surveyed more than 1100 large and smaller businesses across Australia, revealed a significant lack of understanding and implementation of information security policies among SMBs, particularly when compared to larger Australian counterparts.
While smaller businesses were particularly found to be lagging, in a number of areas the majority of Australian businesses received a ‘could do better’ score.
The report revealed that while 93 percent of larger organisations and two-thirds of SMBs have known protocols for storing and disposing of data, around half revealed that not all employees are aware of these policies.
Further, when it comes to auditing their information security procedures, fewer than half of larger organisations and only just over one-quarter of small businesses conduct frequent audits. Alarmingly, one in five smaller businesses say they have never audited their organisation’s information security procedures.
The importance of vetting suppliers for how they handle customer data is not a high priority for Australian small businesses. Only 50 percent of SMBs formally check supplier security policies, compared to 90 percent of larger organisations that ensure vendors have a clearly stated policy in place when handling customer data.
“It is important that businesses of all sizes understand the value of information and the implications of confidential information falling into the wrong hands,” says Konicki.
“At the very least, organisations need to ask their suppliers how their staff handle customer data, especially when their suppliers have people working off-site.”
The survey further highlighted that if additional legislation or regulation regarding document destruction were to be introduced, only 21 percent of small business owners believe this would put pressure on them to change their information security policies, compared with almost half (46 percent) of executives in larger businesses. What’s more, a further 38 percent of SMBs do not know what impact new legislation would have on their policies.
“What this study brings home to me is that small businesses in Australia need to educate themselves and their employees on information security and conduct regular training and then test that training with frequent audits of internal and external protocols to help them protect not just their own businesses, but the information of their customers and suppliers,” Konicki adds.
“It’s time for all businesses to put information security at the top of the agenda to help mitigate the risk from data thieves and fraudsters,” Konicki says.
Tips to safeguard your information
- Implement formal information security policies: train your employees to know the policies well and follow them strictly.
- Introduce a ‘shred-all’ policy: remove the decision-making process regarding what is and isn’t confidential.
- Conduct a periodic information security audit to ensure your policies are working as they should.
- Introduce special locked containers instead of traditional recycling bins for disposing of confidential documents.
- Don’t overlook hard drives on computers or photocopiers: erasing hard drives does not mean data is destroyed; physical hard drive destruction is the only 100 percent secure way to destroy data from hard drives.