Data Privacy and Security

Information Risk: What Can Businesses Learn From Each Other?

If there’s one thing the public hates, it’s hypocrisy – it’s often the one thing guaranteed to invoke the sting of injustice in everyone. So it’s no surprise that the most shocking finding from our recent report into the state of information risk within European businesses was the one that exposed the hypocrisy of the companies that hold that most precious of assets – our data.

This year was the second year Iron Mountain commissioned PwC to develop the Risk Maturity Index that measures how prepared mid-sized European companies are to manage and respond to information risk.

This year’s survey revealed a culture of hypocrisy and double standards when it comes to approaching data protection good practices. While more than half (58%) of European mid-sized firms say they would refuse to do business with a company that had suffered a data breach, 41% believe data loss to be an inevitable consequence of doing business. This suggests that businesses will pride themselves on avoiding the tarnished reputation of their suppliers but are not prepared to hold themselves accountable to the same high standards.

Inconsistencies abound. The study also found that while 68% of companies recognise that a responsible attitude to information is critical to business success, 47% say their board does not see data protection as a big issue, and 43% say their employees don’t see it as a real concern either.

This highlights a growing gap between attitude and action and, at a time of increasing complexity and rising threats to information security, businesses are unsure what to do or where to turn.

Also revealing was the significant differences in the way younger and older firms perceive and address their information risk. Looking at the results, it’s clear that both sides have valuable insight to offer the other when it comes to managing information risk.

Things that older firms can teach younger firms:

Having a plan is as important as ‘getting the job done’.

Just under half (49%) of younger firms – those which have operated for between two to five years – admit freely that they are much better at doing things than they are at strategic planning. Older firms on the other hand – those that have been in business for a decade or more – appear to have learned that knowing why you do something is just as important as what you do, with over half (56%) having a monitored information risk strategy in place, compared to just 14% of younger firms.

It is all right to be cautious about trusting employees with information.

Younger firms are far more trusting when it comes to their employees and their data. Just 18% believe employees are a threat to information security, and only half have an employee code of conduct; while a more significant 42% of older firms see employees as a threat and two thirds have an employee code of conduct in place. If caution leads to codes, guidelines and training to help employees better understand the risks and protect information then caution should be encouraged and applauded.

Information risk should be a boardroom issue.

Half of younger firms say the board does not see information security as a big issue, whereas the boards of the mature business are far more likely to see information risk as worthy of their attention. Senior-level support is critical if information risk is to be taken seriously.

Some interesting points that both young and old firms should pay attention to:

Today’s complex world of hybrid information is here to stay.

Younger firms are more likely to feel comfortable managing structured and unstructured information in digital and physical formats across multiple locations (55% compared to 38% for older firms.) This multi-format, multi-channel data world is the new reality; there is no turning back, so you might as well embrace it.

Money isn’t everything: the greatest victim of a data breach could be your reputation.

All firms agree that the impact of a data breach will touch customer loyalty (58% for both) and brand reputation (52% for both), but older firms are nearly twice as likely to be concerned about financial and legal consequences.

Information risk touches us all. Just as firms hold their employees’ and suppliers’ data, not to mention their own precious knowledge and intellectual property, many also hold personal information about us as the consumers of their products and services. This information needs and deserves to be protected.


Christian Toon, Risk and Security at Iron Mountain


« Reflections on the 'Silicon Savannah': The Past, Present and Future of Technology Innovation and Entrepreneurship in Kenya


Avoiding the Vendor Lock-in Tyrant »
Christian Toon

Head of Information Risk at Iron Mountain

  • Mail


Do you think your smartphone is making you a workaholic?