Twenty one per cent of 1000 small business owners have never audited their organisation’s information security procedures according to the results of a survey published by Shred-it.
The security tracker, which was conducted by Ipsos MORI, surveyed 1000 SMBs and 101 corporates between April and May 2015.
It found that 47 per cent of larger organisations and 28 per cent of small businesses conducted frequent security audits for the storage and disposal of confidential information.
Meanwhile 40 per cent of small business owners had a cyber security policy while 80 per cent of C-suite executives had a policy.
In addition, only 50 per cent of SMBs checked supplier security policies. Of those who did check policies, 22 per cent were most likely to check that the suppliers had an information security policy in place and that they had a clearly stated policy on handling customer data for off-site workers (19 per cent).
This compared to 90 per cent of larger organisations who performed security checks.
Corporates checked that suppliers had a policy in place for handling customer data for off-site workers (40 per cent) and that they had a shred-all policy in the workplace (39 per cent) .
The report also found that while 93 per cent of C-suite executives had a known protocol for storing and disposing of confidential data, 43 per cent said that not all employees were aware of it.
Meanwhile 62 per cent of small business owners have a protocol for storage and disposal of data but only 45 per cent said that their employees were aware of the policy.
According to the survey, 29 per cent of large organisations dispose of hard drives, USBs and other hardware containing confidential information every month or more frequently. Meanwhile, 40 per cent of SMBs said they had never thrown out this type of hardware.
Commenting on the results, Shred-it general manager Eric Konicki said that it was important that businesses of all sizes understand the value of information and implications of confidential information falling into the wrong hands.
“Security policies are worthless without buy-in from employees or suppliers. At the very least, organisations need to ask their suppliers how their staff handle customer data, especially when their suppliers have people working off-site,” he said.
According to Konicki, small businesses in Australia need to educate themselves and their employees on information security and conduct regular training.
“They should test that training with frequent audits of internal and external protocols to help them protect not just their own businesses, but the information of their customers and suppliers.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia