Small and medium sized enterprises in the UK do not see information security as an important issue, yet the risk of data breaches has never been higher. With so many people across the country seeking to avoid travel chaos resulting from the major sporting events taking place this summer, there are more opportunities than ever for paper documents and electronic storage devices to be lost or stolen and for confidential data to fall into the wrong hands.
The Government, regulator and trade bodies need to lead from the front in raising the profile of the issue and providing support to those who need it. The ICO then needs to finally use the powers they have to punish transgressors in order to send a message to the rest of the sector of how important it is to keep consumers information safe".
The ICO has levied a total of £2million in fines since 2010 to companies found mishandling confidential information relating to their customers. In a world where demonising the financial services industry has become something of a national pastime, it's no surprise that loans firm Welcome Financial was the not so lucky recipient of a £150,000 charge for the loss of a pair of back up disks.
So is the regulator showing its teeth? Not really. In the great scheme of things, £2million is a pitiful amount to have collected given that even based on anecdotal experiences derived from my day to day work in the field of secure confidential data destruction; it remains a sad fact of life that many companies are remiss in their handling of confidential information. Whether triggered by a lack of resource or appetite, somewhere along the line a connection is not being made.
Shred-it is not calling for the regulator to embark on a clampdown on errant companies though. Large scale fines by regulators are in themselves an admission of failure. Transgressors should be punished, and all the more so when they are large corporates and public sector agencies who should know better given the breadth and depth of their operational resources. However, for a smaller firm a blow of this kind could be fatal.
This is one reason why figures in the 2012 Shred-it Security Tracker survey are so concerning. 59% of small and medium sized enterprises (SMEs) in the UK don't currently believe that the loss or theft of confidential data would be a problem to their business. A number all the more worrying given it equates to a hike of 10% compared with the 2011 figure.
If that wasn't enough to ring alarm bells, over a third (35%) of UK-based SMEs currently have no protocols in place for the secure destruction of the confidential customer information. Furthermore, just over 75% reported that they offer no training for employees in relation to information security.
Therefore you can see how the biggest challenge facing the ICO is the need to step up in its role as an educator. It's cliché to say it, but prevention is better than cure, and levying fines upon small businesses which might be the determining factor in tipping them towards insolvency ultimately benefits nobody.
But where to begin? There's a myriad of ways in which data breaches can occur, but all companies can make a start by binding themselves to some basic principles. Taking time to audit and determine what actually constitutes confidential information being handled by a business is a good starting point, as is taking steps to build employee awareness of the reputational and financial risks attached to a breach taking place.
Then the focus can switch to understanding the importance of not allowing confidential data to slip into the waste (which in this context usually means recycling) stream and identifying policies, processes and third party supplier partners which will safeguard data security.
We live in an information age, yet managing and destroying confidential information remains a second-class issue. It's about time the message was given loud and clear that all businesses have a duty details about customers, clients, staff and their business to themselves.