Each year the Shred-it Security Tracker shows that Canadian small businesses are underestimating the risk of data breaches at their companies. In the most recent version, almost one-third of Canadian small business leaders said that they have no protocol in place for storing or disposing of confidential information and 44 per cent said that they have never securely disposed of hardware containing confidential information that is no longer needed. One of the reasons precautions are not taken is that organizations simply don’t believe they’ll be affected — in fact, half of small businesses in Canada suggested they wouldn’t be affected by a data breach.
In reality, the impact of a data breach can be severe. A recent Ponemon Institute study sponsored by IBM found that, globally, the average data breach costs $3.5 million, including lost business and damage to reputation.
The same study also found that the average cost for each record lost is $145. For a company with 3,000 customers, a data breach would cost around $435,000, a devastating amount for any small business. If the cost of a data breach is even a fraction of that average, it can mean the difference between solvency and bankruptcy for many small businesses. With so much at stake, it’s unfortunate that small businesses are not addressing their information security weaknesses.
One of the reasons why small businesses aren’t implementing information security policies is that they don’t have the resources to do so. Small business owners can’t always afford to install the latest software or expensive security systems. Luckily there are many simple steps that can help mitigate data breach risk.
Thieves can gather confidential data simply walking down the halls. Desks and printer stations serve as prime locations for confidential data to be left unattended. Because most companies do not require employees to lock documents in secure cabinets or destroy confidential documents that are no longer needed, offices serve as a hotbed of activity for thieves. For the sake of convenience, businesses provide employees with unsecured recycling bin at their desks, another prime target for thieves looking for data.
To better secure physical assets, businesses should: provide employees with filing cabinets that can be locked; eliminate unsecure recycling bins and provide secure shredding containers for the secure destruction of documents; securely destroy old hard drives once they are no longer needed; and use laptop locks that prevent physical theft.
Major digital data breaches are increasingly common features in the news. Home Depot, eBay and JP Morgan Chase are three of the most prominent victims of cybercrime in 2014, but there are hundreds of major breaches each year that don’t make the news. The fact that large companies with massive IT security infrastructures became victims highlights the inherent risks for even the most sophisticated of businesses. However, there are some steps that small businesses can take that won’t require a huge capital investment.
To better secure digital information, businesses should: encrypt employee smartphones so that data is secure if phones are lost or stolen; regularly update software to ensure security holes are patched; limit access to network folders with sensitive information; and install anti-malware software on all computers and block access to risky sites.
Policies, procedures and training
Perhaps the most cost-effective way to protect a business is to instill in employees a commitment to security. By developing and implementing policies and procedures that emphasize responsible information management, companies can create a culture of security that will help protect them from fraud and theft. Introducing training programs to review and reinforce policies and procedures will ensure that employees are prepared to address security issues directly.
To instill a culture of security, businesses should: develop rules for proper document management that include storage and disposal; implement policies that describe the equipment, data and documents that employees are and are not permitted to remove from the office; train all new employees on information security policies and procedures; and tie adherence to information security policies to the performance review process.
It doesn’t have to cost a lot to implement sound information security programs that will reduce the risk of fraud and theft. What it does require is a commitment to information security. In hectic work environments, it’s easy to overlook security in favour of focusing on the day-to-day operation of the business. However, doing so puts a company’s financial security and reputation at risk. The cost of preventative action is far less than the cost of recovering after a breach.
Bruce Andrew is the executive vice-president of marketing and customer experience at Shred-it.