Thank you for taking the time to complete this short survey – it really does help us to understand how you, as a small medium enterprise, are addressing your information security obligations. Based on the information provided we will send you a preliminary summary report highlighting areas of concern and suggestions for improvement.

The survey will take approximately 10 - 15 minutes to complete.

Once again thank you for your time.

Take the Questionnaire           Cancel

Why should I worry about Data Protection?


This is what the FSA said about financial services firms, however it almost certainly applies to many if not most small businesses across all sectors.


Small firms are often wholly reliant on IT consultants who we found do very little – if any – work on data security. So the standard of small firms’ compliance checking – and their overall performance on data security – is very weak indeed.

Overall, data security needs to be improved significantly. Many firms, particularly small firms, still need to make substantial progress to protect their customers from the risk of identity fraud and other financial crime.

The Information Commissioner’s Office (ICO) now has increased powers of enforcement including financial penalties of up to £500,000 for reckless or negligent loss of data. It’s position is that it is not appropriate for customer data to be taken offsite on laptops or other portable devices which are not encrypted.

Many firms are failing to identify all aspects of the data security risk they face, for three main reasons. First, some do not appreciate the gravity of this risk; second, some do not have the expertise to make a reasonable assessment of key risk factors and devise ways of mitigating them; and third, many fail to devote or coordinate adequate resources to address this risk.

In some medium-sized and small firms, there is a lack of awareness that customer data is a valuable commodity for criminals. As a consequence, systems and controls are often weak and sometimes absent.

It is good practice for firms to conduct a risk assessment of their data security environment and implement adequate mitigating controls. If firms consider that their in-house resources or expertise are inadequate to perform a coherent risk assessment, they should consider seeking external guidance.

Few firms completely mitigate data security risks by managing USB devices and optical devices such as CD writers, encrypting laptops and USB devices and blocking web-based communication facilities such as Hotmail and instant messaging. Small firms are very weak in this area, with few of them identifying or mitigating risks.