Interview: Iron Mountain's policy lead on confusion, inconsistency and double standards in information management in Europe

ITProPortal interviewed Christian Toon from information storage and management company Iron Mountain, to discuss the results of a pan-European report by the firm and PwC which explored the state of information risk in mid-market businesses across Europe.

The 2013 Information Risk Maturity Index reveals that the approach to information management taken by European companies is defined by confusion, inconsistency and double standards.

What was the purpose of the survey and why did Iron Mountain feel there was a need for this research?

This is the second annual publication of the Information Risk Maturity Index, which measures how prepared European mid-tier companies are to manage and respond to information risk. The report pools insight from a significant number of mid-sized businesses (between 250 and 2500 employees) and suggested that they were finding it difficult to manage their information and felt exposed to risk.

The purpose of the survey was to validate what we were being told and we wanted to uncover the level and complexity of the problem and produce something useful for businesses, This is why we created the risk index for businesses to measure themselves against and to encourage European businesses to embrace a culture of information responsibility.

What is the most surprising finding in the PwC research?

Last year, we were most surprised by the low index score across countries and sectors. We had already identified that information management was a cause for concern for many businesses but we hadn't realised to what extent.

This year, awareness is not the problem. People know they should take action but, in the face of the growing complexity and increasing risk, they do nothing. Businesses are increasingly aware of information risk but are not yet equipped to manage it. The average index score this year is 56.8 out of an ideal 100. This is a step forward from last year's score (40.6) when no one was managing their information at a satisfactory level.

What we are seeing is an increasing level of awareness among mid-sized businesses of the threat posed by exposure to information risk and a growing understanding of the need to take action. However, the survey results suggest that they are either unsure what to do next or remain ill-equipped to tackle the threat.

A picture is emerging of confusion, contradiction and complacency around the management of information risk in the mid-market with a gap is growing between attitude and action.

Mid-market businesses hold suppliers to the highest information security standards but fail to practise what they preach. At a time when data breaches are increasing by 50 per cent per year, confusion, inconsistency and double standards in information management abound among Europe's mid-sized businesses.

The mid-market's greatest fears are the loss of customer loyalty, damage to brand reputation and the erosion of sales and revenue. Customers and concern for the bottom line is what's driving the desire for change. It's not just about compliance.

What are the standout country differences?

The Netherlands and Hungary have achieved the highest index scores, at 62.4 and 61.0, with the former witnessing a significant improvement in the past year. Respondents in the Netherlands stand out as being the most strategic in their approach to information risk.

For example, Dutch businesses are more likely than their counterparts in other countries to have a contingency plan in place to respond to small scale data mishaps, a corporate risk register, a strategy to cover mobiles, personal devices and laptop security and a strategy for the secure disposal of hardware and confidential documents. The Netherlands and France are the most likely to treat information risk as a Boardroom issue.

55 per cent of French firms have a monitored information risk strategy in place compared to 34 per cent in the UK and 45 per cent overall.

Spain has the lowest index score, at 52.2. Interestingly, Spanish firms are the least likely to see their employees as a threat to information security, and at the same time they are behind their European counterparts with regard to the provision of employee guidance on internal policies and procedures, and are least likely to have some of the key security measures in place such as due diligence programmes for the handling of personal, customer or employee information, intrusion detection systems and recognised data classification systems.

What sort of data is sensitive?

All kinds of different data can be sensitive, including customer and financial information. The definition also includes personally identifiable Information; including information that describes, locates or indexes anything about an individual. This can be financial transactions, medical history, ancestry, religion, political ideology, criminal or employment records and photographs. Other information that would be considered sensitive is intellectual property such as patents and significant documents such as contracts etc.

What are the risks to information and why should organisations care about information management?

Firstly, there is risk of losing an information advantage. For example, failing to protect a patent.

Secondly, there is the risk of inadvertent disclosure. A data breach that causes the loss of customer or financial data can result in ID theft and risk of non-compliance with data protection legislation. This can lead to hefty fines (set to increase with the proposed new EU legislation) and irreparable damage to customer confidence as well as a serious threat to brand reputation.

Thirdly, there is a threat of financial liability if sufficient evidence cannot be produced to satisfy legal disclosure or audit requirements.

Information is the life blood of the business – an invaluable resource that, if treated correctly, can provide insight and business intelligence to drive customer engagement, productivity and competitive advantage.

Businesses cannot afford to overlook the risk to reputation that the mismanagement of information could cause. Data loss, non-compliance and security breaches can result in significant financial penalties and lasting reputational damage.

What should companies be doing to ensure they manage their information correctly?

Take it to the top – Develop a risk strategy and gain support from the top of the business.

Talk the language of the board – explain the risk to reputation and customer loyalty and the value that can be unlocked when information is well managed.

Take control of what you've got – You need to know what information you have, where it is and decide whether you still need it. Build reasonable parameters to control access.

Take your people with you – Put policy and processes in place that will help foster a culture of information responsibility at every level.

What is Corporate Information Responsibility and what does it mean?

Corporate Information Responsibility refers to the responsibility organisations have to protect and make the most of the information they hold. It's about three things:

Awareness- You need to understand the potential impact (financial and reputational) of not managing information risk and acknowledge that these risks require board-level attention.

Policy and process- You need to implement a company-wide programme to manage information and reduce risk with leadership coming from the very top.

Culture change- You need to foster a culture of information responsibility so that your people are the first line of defence in mitigating information risk.

Why should this be a boardroom issue?

Boards usually deal with more pressing issues, like business survival but that also relies on successful information management. It has to be a board-level issue because of the risks associated with it including damage to reputation, fines and impact of non-compliance, damage to customer relationships, financial – both indirect and direct costs and loss of competitiveness within the market.

Why is this important for mid-sized businesses?

It's almost more important for mid-sized businesses to manage their information correctly than large enterprises. They don't necessarily have the financial reserve to deal with a significant breach and exposure to adverse reputational threats. A half-a-million Euro fine could mean the end of the business for many of them.