Small Business Leaders Lax on Security

An Iron Mountain survey shows administrative staff are more careful in handling sensitive information than the C-suite, but are still guilty of mismanagement.

smbs and security

Midmarket business leaders are putting their reputation and long-term success at risk by not following protocol, according to an Iron Mountain survey of more than 4,000 across the UK, France, Germany, the Netherlands, Belgium, Spain and North America.

The survey revealed that although they handle their organization's most confidential and sensitive information, midmarket managing directors and C-level executives could be the weakest link when it comes to safeguarding that information.

In comparison to employees across all levels of midmarket companies, CxOs topped the list of information-management sinners in all of these instances.

"The research shows that business leaders in the midmarket are more likely to put sensitive information at risk than any other employee," Sue Trombley, managing director of thought leadership at Iron Mountain, told eWEEK. "It's concerning that these leaders don't realize that they put their company in jeopardy by their actions. The financial penalties for organizations who fail to meet data handling and security obligations are getting more severe and data breaches can destroy customer loyalty and impact the bottom line."

She explained that among many small businesses, educating employees about how to manage information risk just isn't seen as a priority.

"In fact, 21 percent of CxOs say they find the processes developed to protect and securely managing information according to policy are too complex and look for a workaround," Trombley said. "This is disturbing, as the employees managed by these business leaders may adopt the lax practices, too."

She noted education around these policies is critical to ensure that all employees, from C-level executives to administration, are aware of the policies in place and understand how to abide.

The research also shows that administrative staff rate well in comparison, but are still guilty of mismanaging information.

Just under one-third (29 percent) have left confidential information on the printer, one in five (21 percent) admit to having mislaid data or sending it to the wrong person and 15 percent admit to losing company documents in a public place.

"Organizations can run into roadblocks when they are not putting the right stakeholders in the room when policies and procedures are being written," Trombley said. "All of the different stakeholders such as business leaders, legal, records and information management, privacy, security, compliance and IT have different business goals and objectives for their enterprise security strategy."

Having everyone involved when designing and implementing the strategy helps create a defined and defensible process and a strategy that implicitly includes accountability, she said.

"But that must be followed by an investment in educating employees about the policy, a change management process to ensure its adoption, and a way to measure compliance in order to create a culture of risk mitigation," she said.