Beyond Cyber Threats

Topics: Compliance | Risk resilience

Download PDF

Europe’s First Information Risk Maturity Index

A PwC Report In Conjunction With Iron Mountain


Information is the lifeblood of every business. Paper files and folders, back-up tapes and digital archives represent a treasure trove of customer insight, employee knowledge, business intelligence and innovation. At the same time, information presents one of the greatest legal and reputational risks to businesses of all sizes. You only have to pick up a newspaper to see what can happen to your customer relationships, brand reputation and sales if information is lost, damaged or exposed.

Like any other business asset your information is exposed to risk. You can only protect your information if you know where the risks are, how likely they are to occur, and how best to manage them.

To understand the levels of information risk within European mid-market businesses’ and their capability to mitigate against this, Iron Mountain commissioned PwC to study 600 mid-sized businesses across Europe. The results reveal a deeply concerning picture of complacency, ignorance and lack of management that should sound an alarm bell across the European community.

The findings are particularly worrying at a time when companies of all sizes and in all sectors across Europe are producing and processing electronic and paper records at ever-increasing speed in an ever-more stringent regulatory environment.

Information risk is a board-level issue. If you only take one thing away from this report, it should be an understanding that the key to managing information risk starts and finishes with your people and business culture. Do not expect technology alone to solve the problem. People are often the weakest link when it comes to information security, but they are also a company’s secret weapon when it comes to cost-effective information security management. Information risk management should be part of the cultural DNA of your business and establishing a culture of responsibility can only be successful when the drive and example comes from the top.

We hope that this report will encourage you to review the approach your business takes to information risk and take on board the recommendations and practical steps suggested.

We hope you take action not simply because your customers are calling for it, or the legislators demand it, but because it is the right thing to do. Take action because the success or even survival of your business could depend on it.

Christian Toon
Head of Information Risk
Iron Mountain Europe

Executive Summary

This report presents the findings from Europe’s first Information Risk Maturity Index. The Index clearly shows that European mid-market businesses have a long way to go to bring their information security practices up to acceptable standards.

Across our sample of 600 European businesses, the performance was poor, with an average index score of only 40.6 out of a maximum possible score of 100. In the current commercial environment, a score of anything less than 50 is bad news for companies, their customers and their collective peace of mind.

Our study reveals that 59% of businesses believe that investing in technology will facilitate data protection. This suggests, firstly, that data security is widely perceived by business as mainly an IT issue, which it is not. Secondly, and related to this, it suggests that investing in technology is often perceived as the appropriate solution. However, this ignores a growing body of evidence which shows that one of the biggest threats to data security centres around corporate culture and employee behaviour.

The evidence in this report illustrates why all businesses should take heed. The risks they face are extensive, with the potential to make the difference between success and failure.

Our study shows that over 60% of mid-cap businesses in the countries surveyed are not confident that their employees, or their executives, have access to the right tools to protect against information risks.

Based on the findings of our Information Risk Maturity Index, we have identified a set of steps and actions that, if put in place and frequently monitored, will help protect the digital and paper information held by businesses.

  • Step 1: Make information risk a boardroom issue - ensure that it’s a permanent point on the Board’s agenda, that there’s a senior individual on the Board responsible for it, and that it is embedded into the Board’s dashboards that are used to monitor overall corporate performance.
  • Step 2: Change the workplace culture - design and deliver information security awareness programmes, have the right guidance available for every person and at every level, and reward and reinforce the good behaviours throughout the organisation, from the most junior employee to the most senior.
  • Step 3: Put the right policies and processes in place - and ensure these cover all information formats (electronic, paper or media), define any vulnerabilities relating to manual information handling, establish whistle blowing protocols, and review and test all systems and processes on a regular basis.

These actions are fundamentally about developing a business culture in which information risk awareness is at the core of day-to-day employee tasks and activities.

Businesses need to act, and they need to act now. Doing nothing is not an option. A step-change in business culture and employee behaviour is required. Anything less will simply not be sufficient.

Information: A Priceless Resource

“Information is a priceless resource that must be protected. There’s currently a massive gap between what businesses are currently doing to protect themselves, and what they should be doing.”
William Beer
PwC One Security Director