More than half (56 per cent) of respondents admitted that, despite introducing a strategy to manage information risk, they had failed to monitor its effectiveness. A similar number (59 per cent) had allocated responsibility for information risk management to a specific individual or team, but did not check performance; and more than half (54 per cent) did not track whether policies for the shredding of confidential waste and the secure destruction of digital information were being implemented properly.
The research findings revealed that the impact of such complacency can be catastrophic. Law firms that acknowledged having experienced a data breach listed reputational damage, professional liability and exposure as the main impacts.
PwC surveyed senior managers at 600 leading European businesses to develop the Information Risk Maturity Index for mid-sized businesses (250 to 2500 employees). The scores, assessed across the legal, financial services, insurance, manufacturing and engineering, and pharmaceutical sectors suggest that many businesses are woefully unprepared to address and manage information risks such as data breaches, data loss and non-compliance. The average score for European companies was 40.6 against an ideal score of 100, with the legal sector scoring an average of just 33.3. The financial services sector scored highest with an average score of 46.3.
The Information Risk Maturity Index provides a guide for organisations to measure their level of sophistication in information management. It is based on a set of measures that, if put in place and frequently monitored, will help protect the digital and paper information held by an organisation. The index represents a balanced approach to preventing information risk, including strategic, personnel, communications and security measures.
Commenting on the survey results, Christian Toon, head of information security at Iron Mountain Europe said: Our information risk study reveals a worrying level of complacency across the legal sector in Europe. Theres absolutely no point in pouring resources into information security if no one takes any notice. All the money and technology in the world will not protect your sensitive data if staff are not properly trained, monitored and supported so that information security is a responsibility that is front of mind. The drive for this must come from the very top of the business.
Iron Mountain has called on businesses across Europe to commit to responsible information management: ensuring that information is valued and protected at every stage of its journey through the business, and that all confidential waste documents and digital data are securely disposed of at the end of the life cycle.