Iron Mountain and PwC launch Europe’s first ‘Information Risk Maturity Index’

Madrid, 23 March, 2012 – Data breaches will continue to expose European businesses to unnecessary risk and damage business reputations unless action is taken now to improve the management and protection of sensitive business information, reveals a new report by Iron Mountain and PwC. The study highlights an urgent need for a change in employee behaviour and a cultural shift among senior executives if organisations are to overcome the complacency, negligence and lack of shared responsibility uncovered by the study.

The report, launched today at Iron Mountain’s first European Information Risk Summit, reveals that only around half of mid-sized businesses consider the loss of sensitive information as one of their top three business risks.

Less than a quarter (24%) of the companies surveyed were aware as to whether or not they had experienced a data breach in the last three years.

A mere 1% of respondents consider information risk to be the responsibility of every employee, while nearly two thirds (60%) conceded that they do not know whether their employees have the right tools to protect information.

Marc Duale, President of International at Iron Mountain, said the report was a wake-up call for European businesses: “It is time for businesses to move from a culture of information apathy and neglect to a culture of information responsibility. Fail to act and you expose your customers to serious information risk while potentially leaving your company open to the risk of irreparable reputational damage.”

PwC surveyed senior managers at 600 leading European businesses to compile Europe’s first ‘Information Risk Maturity Index’ for mid-sized businesses, (250 to 2500 employees). The scores, assessed for France, Germany, Hungary, the Netherlands, Spain and the UK, suggest that many businesses are woefully unprepared to address and manage information risks such as data breaches, data loss and non-compliance. The average score for European companies was 40.6 against an ideal score of 100.

The Information Risk Maturity Index is based on a set of measures that, if put in place and frequently monitored, will help protect the digital and paper information held by an organisation. The index represents a balanced approach to preventing information risk, including strategic, people, communications and security measures.

Other key findings from the survey reveal considerable inconsistency around who should be responsible for information risk.

Only 13% consider information risk to be a boardroom issue, while around a third (35%) view all information risk – whether related to paper or digital information – as the responsibility of the IT department.

This tendency to view information risk as an IT issue was found to be widespread, with 59% responding to a data breach by installing additional technology.

Just a third (36%) of companies have assigned responsibility for information risk to a specific individual or team whose effectiveness is monitored.

William Beer, a director in PwC’s UK cyber and information security practice, says it is clear that businesses of all sizes and all sectors are failing miserably in their efforts to secure their customer data:

“Good information security requires three elements: people, processes and technology. Companies too often invest in technology to solve the perceived issue but technology is not the silver bullet.

“Mid-sized companies that don’t necessarily have the financial resources, but do have the will and agility to change, can make a huge improvement by transforming the culture from the top, putting new procedures in place and educating their staff.”

Based on the findings of the Information Risk Maturity Index, Iron Mountain has identified a set of steps and actions to help businesses improve their data security:

    Step 1: Make information risk a boardroom issue – ensure that it is a permanent point on the Board’s agenda, that there is a senior individual on the Board responsible for it, and that it is embedded into how the Board monitors overall corporate performance.

    Step 2: Change the workplace culture – design and deliver information security awareness programmes, have the right guidance available for every person at every level, and reward and reinforce good behaviours throughout the organisation, from the most junior to the most senior employee.

    Step 3: Put the right policies and processes in place – and ensure these cover all information formats (electronic, paper or media). Also, define any vulnerabilities relating to manual information handling, establish whistle blowing protocols, and review and test all systems and processes on a regular basis.

A summary of the report “Beyond cyber threats: A study on business culture, employee responsibility and information security” can be found at www.ironmountain.co.uk/risk-management.