News

Businesses ‘at risk’ by failing to
destroy sensitive documents,
research suggests

Date: 2017-11-22

Credit card cloning, document leaks, computer hacking… in a world in which all activity is recorded, fraud and identity theft are an ever-present danger.

And in a busy corporate environment it can be easy for confidential data to be shared inadvertently. All it takes is for a document containing sensitive material to get mixed up in the wrong file or be left in a printer tray, for example, and all manner of confidential information can end up in the wrong hands.

Despite the potential problems these incidents can cause, many companies are seriously lacking in their document security measures. With this in mind, we carried out an independent survey to determine exactly what companies saw as being sensitive material. We spoke to more than 500 small to medium business owners and managers, asking them which documents they consider sensitive enough to shred.

Selecting all options that they felt were important — offering a total of 2,192 answers — our respondents exposed the following findings:

Which of these documents would you consider sensitive enough to shred?

Personal employee data

95.4%

Company financial information

90.4%

Wage information

88.6%

Invoices

67.5%

Company structure

51.5%

Competitor lists

42.3%

Other

1.8%

Top secret

Unsurprisingly, the top response was ‘personal employee data’, with over 95% deeming this type of information worthy of secure destruction. As incidences of identity theft are rife — reportedly reaching record levels in 2016 — it’s easy to see why protecting staff data is a priority for business owners.

Financial data, in the form of company-wide information and employee wages, also ranked highly for sensitivity, at 90.4% and 88.6% respectively.

Of course, the consequences of such confidential data being leaked internally include:

  • raised tensions among staff who become aware of their colleagues’ salaries
  • unnecessary concern over the company’s financial performance

And although sharing financial data in a controlled manner can be seen as a way to engage and motivate the workforce, the flipside is that there are a number of risks, particularly when the information is circulated accidentally.

Low on the agenda

While the top three survey answers fell in line with our expectations, the fact that ‘invoices’, ‘company organisation’ and ‘structures’ ranked relatively low in our respondents’ priorities appears to highlight a bigger problem.

For example, just over two-thirds (67.5%) identified invoices as important documents to destroy, which implies the remaining third of respondents do not view the contents as sensitive.

However, invoices can:

  • offer insight into what services/products your customers are purchasing
  • highlight the quantity and regularity of orders
  • show the price (including any discount and bulk incentive) the customer is paying
  • contain bank account details

In the wrong hands, invoices and the information they contain could be very damaging to both a company and its clients, as past cases have proven.

Our research also suggested business owners and managers place relatively low importance on information about their company’s organisational structure, since only just over half of respondents (51.5%) stated such documents needed to be destroyed due to their sensitivity.

Of course, it should be noted that company structure information could:

  • include information on business models and company goals that would be of interest to rival companies
  • highlight senior team members, making them targets for head hunters
  • emphasise the presence of hierarchy within the business, thus creating tension among colleagues

As with company financials, there are advantages to being transparent about your organisational structure internally. But what if the information were to find its way outside the business and into your competitors’ hands? It’s a risk that surely isn’t worth taking.

Information about competitors also ranked relatively low in our respondents’ priorities, with just 42.3% deeming it necessary to destroy. However, what could be intended as an innocuous document containing research about competitors could in fact highlight strategies that companies are taking to retain or attract clients, while also revealing new business pitch ideas.

In short, this information could communicate inside knowledge that gives competitors the advantage, not to mention highlighting the apparent lack of vigilance and care around confidentiality that allowed it to be circulated in the first place.

Moving with the times

Due to increased awareness around online security, we are in general becoming savvier about protecting our confidential information. The numerous high-profile data theft cases to hit the headlines in recent years serve to reinforce that anyone can be a victim of fraud; after all, if it can happen to such corporate giants as Yahoo, Deloitte and ABTA, it can happen to anyone.

But with the Data Protection Act (DPA) 1998 set to be replaced by new EU legislation — the General Data Protection Regulation (GDPR) — in May 2018, the need for businesses to review and improve their data security measures has never been greater.

Since the DPA is now considered out of date due to advancements in technology, the GDPR is being introduced as a standard for data privacy laws across Europe, aiming to give individuals control over their personal information. However, there’s been a tendency to focus on the security of online data and overlook the risk of keeping paper files.

In a busy office environment, it can be easy to discard printed reports, photocopied invoices and even casual, handwritten notes without thought, or place them in disorganised piles when they’re no longer needed, rather than disposing of them safely and properly. What’s more, hard copies can often contain original signatures and/or photo identification, which render such documents even more sensitive.

Removing the risk

Lack of vigilance over tangible data can cost companies dearly, whether it’s a failure to store the data securely enough or by not destroying it properly. It may sound obvious but simply throwing paper in the recycling bin will not eradicate its contents — and neither will pushing pages into the cumbersome line shredders often found in offices.

Many businesses — from small start-ups to large corporations — are beginning to recognise the importance of ensuring their confidential waste paper is destroyed securely and sustainably by outsourcing the service to professionals. By having this sensitive material removed and shredded in industrial machines on a regular basis, they are disposing of the risks associated with keeping it on their premises while meeting their data protection responsibilities ahead of the imminent change in legislation.