With small businesses making up 99.7% of all U.S. businesses, it’s not surprising that 43% of cyber-attacks target SMBs. While large corporations often seem to rebound from breaches and cyber-attacks, small businesses aren’t always as fortunate. A recent Ponemon Institute report showed that 50% of the SMBs surveyed had experienced a breach within the last year, and 32% of those businesses were unaware of the root cause of the breach.
Information security is an evolving process, one that must continually adapt to new threats and security protocols. In the past, many companies believed in keeping information indefinitely to ensure it was available in case of an audit, litigation or other emergencies. However, outdated paperwork and data increases your risk of a potential breach. To protect their businesses, employees, clients and vendors, SMBs should take a “less is more” approach when it comes to their sensitive information.
Organizations that save documents past their retention end date not only increase the risk of a data breach, but also risk non-compliance with government and industry regulations, potentially resulting in penalties, fines and legal issues.
Starting with a strategic records and information management (RIM) policy can help small businesses create, manage and destroy documents more securely and efficiently. A records manager can help you understand which documents you need to retain, and for how long, as well as set up a system that automatically sorts document types into the appropriate retention cycle. A digital RIM solution should notify you when a record’s retention period is over and the document is ready for destruction. Once a file is ready for disposal, a third-party document management partner can help you securely shred or destroy all sensitive documents and media to minimize risk.
While there are some documents your small business may need to securely store for an indefinite period, there are others you may be holding on to for too long.
The IRS has set some standard retention recommendations for small business tax records. However, the exact length of time you’ll need to keep a document may vary from industry to industry, as well as from one record type to another. This can range anywhere from 2 to 7 years, and sometimes longer.
When defining your retention buckets, be sure to consider the following record types:
Make a habit of cleaning out expired paperwork before adding tax records from the current year. The key is developing a system that you can successfully implement. Not only will regular cleaning improve security, but you will also benefit from reclaimed usable space within your office.
Employment records contain sensitive data that you’re expected to protect, including social security numbers, email addresses and health information. Companies that keep employee records past their retention date risk a breach of personally identifiable information (PII).
For most human resource files, employers should retain the records for as long as an employee is working at the company and up to seven years after they have left or are terminated. For individuals who applied for a job but were never hired, information should generally be kept for a minimum of three years. These records include:
If you have questions about any of your old employment documents, including any employee benefit plans, speak with your attorney or an information governance professional. Laws may also differ from state to state. Once you have confirmed which files you need to keep, organize them before destroying the rest.
Digital communication tends to reign supreme these days. This means that employees, customers, managers and even investors are communicating more often via email, social media and even messaging apps. No sensitive information should be shared this way.
Taking a proactive approach helps you stop a security breach before it begins. Consider investing in a secure, digital records and information management (RIM) platform that will allow you to share files with ease and greater peace of mind. Once you invest in a RIM platform, it’s important to convert all files that were once shared via email and securely destroy all irrelevant or outdated information.
Once you’ve identified all the documentation that your organization no longer needs, it’s time to dispose of the information. A RIM solution should be able to securely destroy all digital records that reach the end of their retention period. A RIM partner can help you securely shred your outdated physical records, computer hard drives and electronic media while complying with government regulations, including HIPAA, FACTA, FERPA, GLBA and the Federal Privacy Act.