One in eight SME companies hands employee data to hackers on a platter

Half of SME companies pass on the personal data of their employees to cooperating accounting and bookkeeping firms. And while the vast majority of entrepreneurs believe that they are properly protected by external companies, they also make it easy for hackers themselves. As many as 23 per cent of the surveyed companies in this group admit that they transfer sensitive employee data in a completely unsecured manner, according to a survey commissioned by ChronPESEL.pl and the National Debt Register under the patronage of the Personal Data Protection Office.

95 percent of micro, small and medium-sized entrepreneurs process their employees' personal data, of which 49 per cent pass it on to accounting and bookkeeping offices. The overwhelming majority of this group (88 per cent) believe that they are properly protected against unauthorised access by subcontractors. However, on the other hand, as many as 45 per cent of respondents fear that they may be stolen.

Ignoring basic cybersecurity principles

Although paper documentation is becoming a thing of the past, as many as 38 per cent of respondents still provide documents to accounting offices or HR agencies in this form. It is much more common for SME companies to transfer employees' personal data electronically. Unfortunately, by disregarding cybersecurity rules, this convenient form of communication with external HR puts some employees at risk.

Only 31 per cent of respondents send encrypted emails with a password-protected attachment to access the file. This type of security is most often used by medium-sized companies (38 per cent), and less frequently by small and micro companies (31 per cent each). In contrast, 22 per cent of entrepreneurs send encrypted emails with an attachment, although these are not password protected. Whereas 16 per cent of those surveyed store encrypted documents in the cloud, which they then share with external partners.

Encrypted e-mail communication is of no use if the attached employee’s personal data files are not additionally protected by a password. It is enough for the sender to make a mistake in the recipient's address for such data to be forwarded to the wrong person and a data protection breach to occur.

Unfortunately, among companies in the SME sector, there are also companies that are completely reckless with the protection of employees' personal data. As many as 14 percent of respondents send subcontractors unencrypted emails with an attachment without the required password to access the file.

- This is the biggest problem for small companies (23 per cent) from the trade (25 per cent) and transport (21 per cent) sectors, which have been present on the market for more than 10 years (32 per cent). They definitely more often operate in the form of companies (19 per cent) than sole proprietorships (5 per cent). Unfortunately, despite their extensive business experience, they are very negligent in protecting their employees‘ and customers’ personal data, which, as a result, are extremely easy targets for hackers, warns Bartłomiej Drozd, an expert at ChronPESEL.pl.

Equally reckless are the 9 per cent of respondents who store unencrypted documents in the cloud and then grant access to it to external companies

- This is the domain of medium-sized companies (19 percent) in the manufacturing (81 per cent) and construction (22 per cent) sectors that have been in the market for five to 10 years. This is very worrying, as these companies hire between 50 and 250 people. Despite the relatively large scale of their operations, and therefore their attractiveness to cyber criminals, they are extremely dismissive of the threat from hackers. One reason for this may be the mistaken thinking that handing over employee data to an external accounting firm or HR agency absolves them of liability in the event of a leak or theft by cyber criminals. This is not the case,- adds Bartłomiej Drozd

This does not close the list of sins of SMEs. 5 per cent of them no longer take paper employee documents to the accounting office, but transfer them to a memory stick or an external drive. If this is lost or stolen, employee data become accessible to outsiders.

- Data controllers, i.e. employers, should carry out a risk analysis and identify the risks if they transfer data on media such as flash drives. The analysis should demonstrate the need to adequately secure such devices. There are encrypted media of this type on the market. Files can also be encrypted, which, if such a portable memory device is lost or stolen, will make it impossible or at least difficult to access the data without knowing the password, says Mirosław Wróblewski, President of the Personal Data Protection Office.

It is worth knowing that the Personal Data Protection Office has already imposed administrative fines on controllers for data protection breach due to the loss of a pendrive on which the data was not secured in any way.

- The proceedings of the Personal Data Protection Office most often revealed the lack of an adequate risk analysis, which would help to realise the necessity of adequate security of such carriers. Sometimes the analysis was superficial, which resulted, for example, in the implementation of insufficient procedures related to securing data on external carriers or the lack of supervision over the observance of the developed rules, adds Mirosław Wróblewski.

Hackers are rubbing their hands

This is not surprising, as according to the Central Statistical Office, SME companies hire 7.3 million employees. For cybercriminals, this means 7.3 million potential victims of attacks. And the stolen loot can be priceless.

Micro, small and medium-sized companies most often process the name of the employees they employ (86 per cent), as well as the telephone number (80 per cent). Slightly less frequently, the residential address and PESEL number (75 per cent each). This is followed by e-mail address (70 per cent), bank account number (68 per cent) and ID card number (62 per cent), as well as health data on absences or past illnesses (43 per cent). As a result, due to poor security in many SMEs, it is very easy for hackers to steal a set of personal data needed to commit a crime.

The survey was conducted by TGM Research on behalf of ChronPESEL.pl and the National Debt Register under the patronage of the Personal Data Protection Office in May 2024 using the technique of online interviews (CAWI) on a sample of 400 representatives of SMEs meeting the criterion of decision-making and processing personal data.