Canadian small businesses ignoring information security threat: Shred-it

New figures from Shred-it show there is a growing divide between large organizations and small businesses when it comes to information security.

Although there appears to be growing awareness among polled C-suite executives about the threat posed by data breaches – prompting them to take concrete steps to improve their security policies and procedures – that does not seem to have translated to small businesses, suggest findings of Shred-it’s 5th Annual Security Tracker study.

Conducted by Ipsos Reid and released this week, the quantitative online survey – the fieldwork for which was done April 20 to May 3 – involved two distinct sample groups: small business owners in Canada (n = 1,000), and C-suite executives working for businesses in Canada with a minimum of 100 employees (n = 101).

In all, 65% of surveyed executives report they have a protocol in place for storing and disposing of confidential data, up from 42% in 2014, notes a statement from Shred-it, which operates in 18 countries and provides information destruction services. In addition, the survey found 45% of large organizations require suppliers to have an information security policy in place, and 41% require a security breach response plan.

Small business owners, however, appear to have made little headway in combating information security threats, the findings indicate. Of that group, 37% of respondents report that they do not have a protocol for storing or disposing of confidential data.

“Companies without basic information security protocols in place are essentially disqualifying themselves from working with large organization that vet their suppliers,” Shred-it reports.

“As small business continues to lag behind their larger counterparts, they’ll increasingly expose themselves to not only theft and fraud, but severe financial repercussions that would result in bankruptcy,” Sarah Koucky, Shred-it’s vice president of security, argues in the company statement. [click image below to enlarge]

Other survey findings include the following:

• 88% of respondents of large companies say their companies “frequently” or “sometimes” conduct audits, up from 64% in 2014;

• 69% of respondents of large companies report their companies train employees on security protocols at least once per year, up from 43% in 2014;

• just 56% of small business respondents say that they “frequently” or “sometimes” conduct audits; and

• 36% of small business respondents report they have never trained their staff on information security protocols.

“Together, training and testing ensure that policies and procedures are able to combat threats as they emerge and limit exposure to the risk of fraud,” Koucky maintains.

Shred-it suggests there are simple steps that can help small businesses mitigate the risk of a costly data breach, improve their information security and better position themselves to conduct business with larger Canadian organizations.

Among these measures are the following:

• eliminate unsecure recycling bins and provide secure shredding containers for the secure destruction of documents;

• securely destroy old hard drives once they are no longer needed;

• encrypt employee smartphones so data is secure if phones are lost or stolen;

• regularly update software to ensure security holes are patched;

• install anti-malware software on all computers and block access to risky sites;

• implement policies that describe equipment, data and documents that employees are and are not permitted to remove from the office; and

• train all new employees on information security policies and procedures.

Shred-it reports that the survey is considered accurate to within 3.5 percentage points had all small business owners been surveyed and to within 11.2 percentage points had all C-suites been surveyed.