Information risk is a growing threat and one which is not necessarily fully understood or managed by organisations according to a study by PWC and Iron Mountain, “Beyond Cyber Threats”.

16th July 2012

Every organisation is built on information, information is found contained within paper files and digital archives.  It is paramount to gaining customer insight and business intelligence.  However, the amount of information being held by organisations is growing exponentially and the pressures from the regulatory environment further compound the risk of losing or damaging information, as an FSN staff writer explains.




According to the report, “Like any other asset your information is exposed to risk.  You can only protect your information if you know where the risks are how likely they are to occur and how best to manage them.”

The report undertook to create and apply what is thought to be Europe’s first Information Risk Maturity Index, made up of the weighted average responses to 34 information management questions covering strategy, people, communication and security. The results were somewhat concerning, with an average index score of 40.6 out of 100.  (A score of less than 50 is considered bad news for companies). Perhaps the most critical finding is the belief that data security is perceived by 59% of the organisations to be solely an IT issue and remedied by investment in technology.  However, the report stresses that “this ignores a growing body of evidence which shows that one of the biggest threats to data security centres around corporate culture and employee behaviour.”

So if it’s not just about IT what other steps can be taken? Firstly Information risk should be made a boardroom issue, ensuring that it is a permanent agenda point and assigned to a board member.  The profile of information risk should be elevated such that suitable KPIs are developed and made visible on the corporate dashboards.

Secondly, there needs to be a change in the organisation’s culture so that all employees are made aware of the risks and their consequences to ensure that information within the organization is held securely.  This can be one of the weakest links in keeping information securely within a business.  “The study found that up to a quarter of business incurred more than 60% of their financial losses from accidental breaches by insiders.”

Take for example in 2008 a Bank of New York Mellon employee sent 10 unencrypted backup tapes to a storage facility, however only 9 of them made it to their final destination.  The missing tape held the records of 4.5m customers including social security numbers and bank account information.

One could argue that had the business conducted appropriate information risk awareness training programmes this incident could have been avoided.  An organization should then go further in identifying suitable employees to form part of a wider team across the functions of the business to identify and manage the risks.

To change a culture is no easy feat, this is something which needs to be embedded both bottom up and top down throughout the organization.  Rewarding and reinforcing behaviour is required to ensure that employees buy-in to the new culture.

Finally an organization should ensure that the appropriate policies and processes are in place.  These need to cover all information formats including paper documents as well as electronic forms.  Whistle blowing protocols should be set out in employee handbooks and reinforced in information risk awareness training programmes. These policies and processes should then be reviewed on a regular basis and tested.

The study suggests that it  is through building and embedding a culture of risk awareness within an organization, from the most junior employee to the most senior that a business can reduce the burden of information risk.