Elizabeth Bramwell, Director at secure information management firm Iron Mountain responds to the news that small businesses are more likely to suffer from data breaches with some simple steps companies can take to protect their information.
Mid-market companies are the engine room of our global economy. In the UK alone, the sector employs 50% more people now than it did in 2010. Despite this vital role, when it comes to managing and safeguarding one of its most key assets – information – the mid-market can often be found guilty of missing a few vital information management steps.
The challenge of properly processing and managing data today is exacerbated by a complex information landscape. The associated compliancy regulations, including the imminent General Data Protection Regulation (GDPR), is matched by other challenging factors such as the widespread digital transformation on an army of time-poor but information-rich employees. Understandably in this environment, it is difficult to put effective and compliant information management processes in place.
So, what can mid-market businesses do to make life easier for themselves? How can they avoid putting themselves at risk of breaching regulations? Iron Mountain recently conducted research into the mid-market’s information management habits to understand where businesses are going wrong. A full write up of the research results can be found HERE.
Information management blunder one: the distracted youth
Our research found that younger firms have inherently bad habits with private information, little faith in their own data protection procedures and little inclination to automate processes. This is because they generally still have their heads in start-up phase, where chasing the next sale and the race to the next product cycle get their full attention.
Staff at younger mid-market firms are more careless with confidential and business-sensitive data. Nearly half (48%) of employees at companies that have been in business for less than five years have left private documents either lying about the office, have mislaid them completely, or have lost them in a public place. This is twice as many as at more established firms, where fewer than one in four (23%) have done the same.
In general, familiarity with the legal requirements governing business information comes with maturity. Indeed, younger firms are considerably less clear on how long they are required to retain documents such as tax records, contracts and customer data. More than half (51%) of respondents at companies between one and five years old admitted they could be in possession of sensitive human resource records beyond their retention deadline, compared with just 20% at firms older than 25 years.
When it comes to breaching regulations, the law is not going to give younger firms a free pass. While chasing the next sale, growing the team, or expanding into new markets is admirable, younger businesses in the mid-market need to think carefully about putting information management policies and processes in place. Get it right from the start and muscle memory will help shape the culture and protect the business as it grows.
Information management blunder two: not setting the right example
Despite the majority of respondents having a good grasp of how long their company is legally entitled to retain documents subject to data protection laws, more than a quarter admitted to be in breach of the rules by still having these documents on their computer or stored in their files.
In particular, company bosses have emerged as being unaware or perhaps cavalier about how long their business should retain documents such as tax records, contracts and customer data. Half of business leaders admit they could have documents on their computers that are well beyond their legally determined destruction dates. This is despite the Information Commissioner’s Office (ICO) making it clear in its information standards principles that businesses should retain personal data no longer than is necessary for the purpose it was obtained for. Getting this wrong could be a serious risk to the business, not only in terms of reputation and financial penalties – it could also erode customer trust and threaten the long-term survival of the business.
It’s time that company bosses in the mid-market set a good information management example. Only when the C-suite champions information policies, cultural change and better habits will these filter through the rest of the business to create a culture of information responsibility.
Information management blunder three: keeping hold of the sensitive stuff
Despite great steps forward in the digitisation of information, paper processes still prevail. They account for a large number of information mismanagement cases, when it comes to the loss of physical documents or indiscriminate filing, with a disregard for associated retention and destruction regulation.
Mid-market companies across the globe must cut out bad habits when handling sensitive information if they are to minimise the risk of inadvertent leaks and breaches of data regulation. Having a central repository for the safe storage of sensitive information is a good place to start and consideration should be given to storing securely off-site with an established third party. Thinking about how this information is shared within the business is also important. Once information such as a contract or CV is shared within your organisation, make sure you have processes in place to monitor where and how far this information travels before it becomes impossible to trace.
There’s no doubt that the mid-market is faced with challenges when it comes to information management. Getting it right isn’t easy but avoiding these common mistakes can go a long way towards helping businesses remain compliant amidst the complexity of evolving regulations.
Building processes today that can be followed by the whole business in the future can only help the entire mid-market to continue growing successfully. It is with this in mind that Iron Mountain is working with companies to make sure they take a consistent, clear and cohesive approach to managing data – whatever their industry or heritage.