Is a lack of responsibility over information security putting UK businesses, large and small, at risk of fraud?
Globally an estimated 5% of organisations' annual revenue, amounting to billions of pounds each year, is lost to fraud, according to a recent study conducted by the Association of Certified Fraud Examiners.
The fraudsters can take hold where a lack of data security exists due to either a firm's casual approach to its responsibilities for protecting information or weak, ineffective anti-fraud controls that are already in place. In the UK, the central government bears the majority of public sector fraud costs. These are estimated at £30 billion per year while the private sector, including SME's and large businesses, are hardest hit losing an estimated £144 billion a year (1).
Data security breaches expose organisations to employee fraud, management fraud, and fraud emanating from outside the organisation. Such breaches have a negative effect on the economy, cause financial loss to businesses, organisations and individuals, as well as causing distress amongst victims.
Bearing in mind that the loss of revenue can also be compounded by heavy legal fines from the Information Commissioner's Office (ICO), as well as other regulatory bodies, and add to this the fact that revenues may fall due to the loss of key customers and business partners, the need for firms to make data security a top priority becomes glaringly obvious. There is no point in businesses working hard to bring in sales if they are undermined by weak data security systems. Educating employees in good computer practices can play a critical role in a business's overall cyber security strategy. However, a key danger point in the business information life-cycle is the disposal of brand identifiable items such as old documents, computer files, ID cards and uniforms.
This type of information could potentially be used for fraudulent purposes if allowed into the wrong hands. It is imperative that data destruction is given as much gravitas in a company's psyche as the management of operational data. Confidential data shredding on a professional scale, offers an excellent solution for any business wishing to strengthen its ant-fraud controls. When choosing an appropriate provider it is advisable to source a business which meets with ISO 9001 (Quality Management), ISO 14001 (Environmental Management) and ISO 27001 (Information Security) standards, whilst having a data destruction process which is accredited to BS EN15713.
The Data Protection Act requires businesses and organisations to ensure that their data is secure at all times, including when it is no longer required. However, with identity theft and fraud on the rise it is clear that there are loopholes still being exploited. Fraudsters are keenly aware that UK businesses spend millions of pounds building and maintaining a brand. Uniforms, business cards, ID cards, letterhead and product samples are examples of items that attract their attention. A business identity is easy to steal once company assets, client lists and financial information has been obtained. Businesses need to take a fresh look at their systems and review them to see if they are physically and digitally secure enough to thwart any criminal plans.
Firms such as Restore Document Management are currently working with companies to offer secure services that capture, process, manage, retrieve, share and destroy when necessary, critical documents and information. Evidence shows that organisations which lacked anti-fraud controls suffered median losses - in fact they lost twice as much as those with robust controls and measures in place (2).
Anthony Pearlgood, Managing Director of Restore Datashred, said: "Employing a professional data management business, like ours, is a reliable way of making sure that your data security is air-tight and ready to combat the fraudsters. It means that businesses have a bespoke, responsive service to take care of their data protection issues. With the ICO being able to impose fines on businesses of up to £500,000 for serious breaches of the Data Protection Act, then working with a data solutions organisation to improve anti-fraud controls, makes total economic sense.
Anything that identifies a person, or could be of interest to competitors or criminals should be protected and securely disposed of when no longer required. Such confidential data comes in many forms including files, documents, forms, invoices, databases, employee records, letters and plans. With the advent of the digital age, many of these sources can be either physical or digital or both, but all require safe management."
Taking into account that more than 23% of occupational fraud cases resulted in a loss of at least half a million pounds (3), then it makes good business sense to consider outsourcing the responsibility for information security to a specialist, professional organisation such as a data management company. The investment is likely to be an astute use of company funds and will not only provide support and guidance for management but allow them to focus on day-to-day issues, safe in the knowledge that key business information systems are secure.
For example, a professional document destruction service should provide:
- Accreditation to EN15713 security shredding standard
- Uniformed and security checked operatives
- Total Data Protection Act compliance
- On-site shredding or off-site shredding at secure purpose-built destruction centres
- Lockable cabinets to keep documents safe when still on-site
- Support for environmental targets as all paper is recycled once shredded
- Destruction of products, e-media, ID cards and uniforms
Ensuring data protection controls are at an optimal level for current and future business purposes is essential to improving company profitability. Much is at stake, as under current GDPR legislation, all Company Directors are personally liable for the safekeeping and secure destruction of all documents and data which identify living individuals.
When confidential material reaches the end of its life-cycle, large or small, public or private, business owners are particularly vulnerable to breaches in data security and risk financial damages and reputational losses as a result. Acting sooner rather than later to tighten information security and destruction in your organisation will pay dividends, of that there is no doubt.
For further information visit: www.restore.co.uk
1. Experian report; www.experian.co.uk
2/3. AFCE's report; The Nations on Occupational Fraud and Abuse