SMEs at Risk From Lack of Attention to Data Protection

LONDON, May 7, 2013 /PRNewswire/ --

• Small businesses leaving door open to thieves says Shred-it
• 1/3 of companies have no plans to manage secure information destruction
• Shred-it provides free information destruction guide to SMEs

The 2013 Information Security Breaches Survey^[1], launched last week by the Department of Business Innovation and Skills in the UK, revealed that 87 per cent of small businesses experienced a data breach in the last year. On the back of these results, the UK's largest information destruction company, Shred-it has launched a guide for SMEs. The guide is intended to help them manage their secure information destruction process more efficiently and to ensure they are compliant with the data protection regulations in force in the UK.

Unlike large businesses, SMEs tend not to have the resources to have a dedicated information control officer. It is therefore even more important to have robust data protection protocols in place so that every employee understands data protection, as in effect each individual has to share this responsibility.

But, according to a recent survey from Shred-it^[2], over one-third of SMEs in the UK do not have any protocols in place for storing and destroying the confidential information they hold. Meanwhile, over three quarters provide no training on information security and a similar number (77.4%) do not destroy electronic storage devices properly.

"Whenever I visit small businesses, I am always surprised by the amount of time and money spent on digital security, while employees print crucial information and leave it where other people can find it - all the firewalls and passwords in the world will not prevent the risk of paper documents being lost or stolen from unsecured bins and ordinary disposal methods," Robert Guice, Executive Vice President, Shred-it EMEA warns.

"The first stage of ensuring your organisation is safe from the risk of data breaches and is compliant with the law is to draw up an information protection policy. Concentrate on a paper and electronic system to be sure that you are fully complying with the law. The most valued asset that any organisation has is their information. Not having a proper information destruction programme in place is like leaving the safe door open for thieves."

Please find below Shred-it's guide for businesses

--------------------------------------------------

1. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/191671/bis-13-p184es-2013-information-security-breaches-survey-executive-summary.pdf

2. Shred-it Security Tracker 2012

Business guide to secure information destruction

1. Why do I need to have an information destruction process in place? Information security remains a key component of all privacy legislation and compliance standards in the UK. As such, it's not just good business practice to keep your confidential materials protected - it's the law. The printing of documents is still standard practice in most workplaces. Unless confidential printed documents are disposed of securely, there is always the risk that they could fall into the wrong hands, threatening the security and privacy of your business.

2. Chain of custody and duty of care. All businesses have a duty of care to their employees and customers to ensure that information is both kept secure and disposed of in a complaint manner. You should receive certification that the documents have been destroyed by your data destruction handler, which also means businesses can prove they have fulfilled their obligations.

3. What information do I need to destroy? There are four main categories business information falls into; confidential, business confidential, sensitive or personal information. This includes documents with signatures, bank account numbers, medical, legal and credit information. Businesses also need to consider how they destroy their intellectual property. Throwing away new product reports, training information, performance reviews, financial results or marketing strategies is just as harmful to your business as anyone can pick this up at any time.

A shred all policy is therefore the perfect solution because it eliminates any confusion and also helps create a consistent secure information destruction management standard. Your employees don't have to decide what to shred. They simply shred all business documents keeping your customers, employees and business information secure. Shred-it also recycle all the paper they shred so you are able to combine two different waste streams and save money.

4. Have you identified your risk areas? A security risk assessment helps to determine the level of information security in your business and that helps identify risks and how to put a secure and safe information destruction programme in place.

Shred-it offers a free risk assessment service by a trained and background checked representative. An online risk assessment survey is also available on the website. This will help you to determine how you are managing confidential information and the information destruction process.

5. Picking the right shredding company. A good shredding company provides a secure chain of custody so your documents are protected at every stage. Document handles are background checked and security trained. The shredding company should be knowledgeable about relevant laws and regulations. Various shred sizes should be available. The company should provide disposal solutions for other products too such as hard drives, USB sticks and other electronic and media related goods. The company should be environmentally proactive and ensure all securely destroyed information is recycled. This will ensure that you meet the environmental obligations set out under the waste hierarchy legislation.

6. Is the shredding process itself secure? Businesses need to ensure that any containers provided by the supplier are locked consoles. Once documents have been placed inside the consoles, they should not be retrievable.

7. On site or off site shredding? Document shredding on or off site should be done inside a locked area that is not accessible to anyone but the document destruction handler. Documents should never be sorted before destruction and the most secure shredding method is one that you can witness right in your location. A professional cross-cut shredding machine should be used and there should be regular scheduled collection and disposal of your documents.

8. How do you stay secure when working from home? Treat your home working space as your office space workplace. Take your documents back to work in a secure manner and destroy of any documents there when possible. Assume that all business documents are confidential and only take them out of the work place if it is absolutely necessary. Do not print off any confidential information from laptops or computers unless absolutely necessary.  

9. What about information stored on digital devices? Making sure you destroy products such as hard drives, USB sticks and other electronic and media related goods is important.

10. What happens if I fail to be compliant? All UK organisations must comply with the Data Protection Act (DPA). If your organisation is found to be in breach of the DPA you could be subject to a penalty from The UK Information Commissioner's Office (ICO) of up to half a million pounds. But it's not just the cost of a security breach that you need to consider. The biggest cost comes in the form of irreparable damage to your business' reputation - something that has taken years to build.

About Shred-it (http://www.shredit.co.uk)

Shred-it is a world-leading information security company providing document destruction services that ensure the security and integrity of our clients' private information.  The company operates 140 service locations in 16 countries worldwide, servicing more than 150,000 global, national and local businesses, including the world's top intelligence and security agencies, more than 500 police forces, 1,500 hospitals, 8,500 bank branches and 1,200 universities and colleges.

Shred-it has branches in the following UK locations: Belfast, Dublin, Glasgow, Edinburgh, West Yorkshire, Chippenham, Essex - Waltham Abbey, Newcastle, Manchester, Birmingham, Milton Keynes, Portsmouth, Exeter, London - Stratford, London - Brentford, Nottingham and now Cardiff.