The Index was based on a set of measures that, if put in place and frequently monitored, would help protect the information held by an organisation. Of the six countries included, the UK consistently fared the worst, achieving a score of only 55.08 against a target of 100. While there was no stand-out performer in Europe, Hungary outperformed the other European countries with the highest overall index score of 61.
Its a surprise that UK businesses fared so badly in this study, particularly when high-profile data breaches receive such widespread media attention in the UK, seriously damaging brand reputation, said Christian Toon, head of information risk at Iron Mountain Europe. The findings reveal that though many British businesses do have a data protection and information risk strategy in place, most fail to monitor its effectiveness. In Hungary, with its high level of ISO certification, businesses are more likely to have training programmes, clear guidance, codes of conduct and employee communication programmes in place. This difference underscores why companies need to adopt a culture of Corporate Information Responsibility (CIR). This shift is key to protecting sensitive information.
Toon continued: While some countries performed better than others, the results suggest that there is a problem across the board with the way businesses regard information risk. Too few see the risk as a serious threat to their business. Addressing this shortcoming must start from the top. Its time for the Boardroom to start making Corporate Information Responsibility an integral part of their organisation, just as many have done with Corporate Social Responsibility.
Christian Toon provides the following practical advice to help businesses become more responsible in protecting information:
Make it a boardroom issue:
- Make information risk a permanent point on the Board agenda
- Articulate information risk in a language the Board can relate to highlight, for example, the financial implications of not safeguarding information
- Include information risk on your register and provide regular status reports to the Board
- Embed it into your existing practices and create monthly dashboards to monitor progress
Change the workplace culture:
- People are the weakest link screen all applicants before offering employment with background checks. Rescreen at regular intervals
- Design and run information risk awareness programmes that start at induction and are followed-up with annual refresher courses
- Reinforce good behaviours by rewarding them and sanction poor behaviour
- Build information risk into staff objectives and embed these into annual performance reviews
- Identify technology that is fit for purpose and secure enough for your needs. When it is implemented, maintain it, and ensure that you get sufficient logs and records from your systems
- Finally, dont underestimate the change possible with even minimum investments in time and budget. Simple measures and minor investment, which will not take the focus away from the core business, can move the organisation towards more secure information management.