Currently, there is a wide gap between large and small businesses in both digital and paper security. While a larger company may have an entire department devoted to information security and risk mitigation, for most small businesses the conversation hasn’t even started. “More than a third of small businesses aren’t even aware of the legal and financial impacts that lost or stolen data would have on their business,” says Bruce Andrew, SVP, Marketing and Customer Experience at Shred-it. “That’s a scary, scary fact.”

"More than a third of small businesses aren’t even aware of the legal and financial impacts that lost or stolen data would have on their business.”

It’s frightening because a data breach can devastate a small business. Beyond the direct dangers of theft and fraud, the potential reputational damage that occurs when a breach becomes public is immeasurable. “Reputational damage is far more expensive than direct financial damage in the long term,” says Andrew. “Small businesses typically can’t recover from this kind of reputational damage. It just puts them out of business.”

It is important for small business owners to know that among the dozens of fires they are trying to put out every day, not having a security policy is like a candle flame, while dealing with a data breach after the fact is an inferno. Snuffing the candle can be as easy as taking three simple steps.

By treating every document the same, confidential information is secure by default.

First, every document should either end up in a secure location, which can be as simple as a filing cabinet or desk drawer with a lock on it, or be destroyed. By treating every document the same, confidential information is secure by default. “Don’t give your employees a choice between the recycling bin and the shredder,” says Andrew. “If you use an outsourced shredding service, all the paper that goes into the shredder gets recycled anyway.”

The second step is to ensure that your computer security covers the entire life cycle of the computer system and the entire breadth of the network, from the computers themselves, to the Wi-Fi, to the employee smartphones. “And, when you are done with a computer,” Andrew emphasizes, “take the few minutes to remove the hard drive and get that thing destroyed properly.”

Finally, take those first two steps and use them as the basis for an official information security policy that employees are trained on, and that is tied to performance reviews. This strategy is a starting point, to be built on continuously, but doing anything less is going to cost a company in the long run.

Customers are more security savvy than ever before, and large companies are increasingly refusing to deal with suppliers that do not have an information security policy in place. Having a solid information security policy is just good business.