Mid-sized businesses in the UK are Europe’s worst performers when it comes to managing information risk, according to research from Iron Mountain and PwC.


The study surveyed senior managers at 600 mid-sized (250 – 2,500 employees) European businesses in the UK, France, Germany, Hungary, the Netherlands and Spain to compile Europe’s first Information Risk Maturity Index.

The Index was based on a set of measures that, if put in place and frequently monitored, would help protect the information held by an organization. Of the six countries included, the UK consistently fared the worst, achieving a score of only 55.08 against a target of 100.

While there was no stand-out performer in Europe, Hungary outperformed the other European countries with the highest overall index score of 61.

“It’s a surprise that UK businesses fared so badly in this study, particularly when high-profile data breaches receive such widespread media attention in the UK, seriously damaging brand reputation,” said Christian Toon, head of information risk at Iron Mountain Europe.

“The findings reveal that though many British businesses do have a data protection and information risk strategy in place, most fail to monitor its effectiveness. In Hungary, with its high level of ISO certification, businesses are more likely to have training programs, clear guidance, codes of conduct and employee communication programs in place. This difference underscores why companies need to adopt a culture of Corporate Information Responsibility (CIR). This shift is key to protecting sensitive information," Toon added.

While some countries performed better than others, the results suggest that there is a problem across the board with the way businesses regard information risk. Too few see the risk as a serious threat to their business. Addressing this shortcoming must start from the top.

Christian Toon provides the following practical advice to help businesses become more responsible in protecting information.

Make it a boardroom issue:

• Make information risk a permanent point on the Board agenda
• Articulate information risk in a language the Board can relate to – highlight, for example, the financial implications of not safeguarding information
• Include information risk on your register and provide regular status reports to the Board
• Embed it into your existing practices and create monthly dashboards to monitor progress.

Change the workplace culture:

• People are the weakest link – screen all applicants before offering employment with background checks. Rescreen at regular intervals
• Design and run information risk awareness programs that start at induction and are followed-up with annual refresher courses
• Reinforce good behaviors by rewarding them and sanction poor behavior
• Build information risk into staff objectives and embed these into annual performance reviews
• Identify technology that is fit for purpose and secure enough for your needs. When it is implemented, maintain it, and ensure that you get sufficient logs and records from your systems
• Finally, don’t underestimate the change possible with even minimum investments in time and budget. Simple measures and minor investment, which will not take the focus away from the core business, can move the organization towards more secure information management.

The complete survey is available here (registration required).