For third year running, UK firms less prepared for information risk than European average

According to the latest Information Risk Maturity Index from Iron Mountain and PwC, firms in the UK have fallen behind their European counterparts when it comes to managing and responding to information risk.

Despite a string of high-profile data breaches and upcoming reforms to data protection legislation coming out of the European Parliament, the results from the 2014 Index show UK mid-market firms score 55.9 out of an ideal score of 100, five points below the leading European country Hungary which had a score of 60.2. This is only marginally better than the UK’s 2013 score of 55.4, illustrating the plateau that businesses appear to have reached and the difficulty many now face in becoming fully equipped for risk.

The annual index measures how prepared companies are to address key information trends against a target of 100. For the third year running, UK mid-market firms have fallen short of achieving the European average set by the Netherlands, Hungary, Germany, UK, France and Spain.

Phil Greenwood, Commercial Director at Iron Mountain, said: “UK firms have some way to go if they are to catch up with their European counterparts. For the third year running they have failed to match the average European score. It is critical that companies address this if they are to adopt a responsible-yet-proactive approach to information risk and value, not just to protect the business, but to help it thrive.”

Based on the findings of the Information Risk Maturity Index, Iron Mountain has identified a set of steps and actions to help businesses improve their data security:

• Step 1: Make information risk a boardroom issue– ensure that it is a permanent point on the Board’s agenda, that there is a senior individual on the Board responsible for it, and that it is embedded into how the Board monitors overall corporate performance.
• Step 2: Change the workplace culture– design and deliver information security awareness programmes, have the right guidance available for every person at every level, and reward and reinforce good behaviours throughout the organisation, from the most junior to the most senior employee.
• Step 3: Put the right policies and processes in place– and ensure these cover all information formats (electronic, paper or media). Also, define any vulnerabilities relating to manual information handling, establish whistle blowing protocols, and review and test all systems and processes on a regular basis.

A summary of the report, Beyond Good Intentions: The need to move from intention to action to manage information risk, can be found at www.ironmountain.co.uk/risk-management.