- Security TWENTY
- Women in Security
How can today’s information sinners quit the habit? asks Elizabeth Bramwell, Commercial Director at Iron Mountain UK, the information storage contractors.
Employees at every level and across every industry are reminded regularly that information is vital to their business. To make the most of business information, easy access is critical. Whether it’s an email with the latest financial figures, a marketing strategy PDF, a print out of a CV including hand-written notes or a customer contact list, having the information readily to hand enables businesses to serve their customers and employees. Given the importance of information to business success, you would expect employees to take every possible step to manage information securely. Yet, with file servers overflowing and increased pressure on resources, it would appear that many, from the CEO to the admin team, have become complacent about information security. We may well want to question whether or not modern businesses have put good information governance practices in place.
Despite understanding the value of the information their business holds, when it comes to safeguarding the information, business leaders often fail to follow the processes and policies designed to keep it secure.
In a recent survey  commissioned by Iron Mountain, over half (57pc) of the CxOs questioned admitted to having left business-sensitive or confidential information on the printer for all to see, with over a third (39pc) admitting to having lost it in a public place. This admission reveals just how easy it could be for information to get into the wrong hands. There is much at stake: if data is mishandled or breached, companies could face fines of up to 4pc of annual turnover under the General Data Protection Regulation. When customer information is breached as a consequence of malicious intent or employee error, the organisation’s reputation may be damaged and customer loyalty eroded. Seemingly small misdemeanours can have serious consequences.
It’s not just careless data handling that could land a company in hot water. The processes companies put in place to protect the integrity of information and ensure compliance are often not followed, leaving the organisation exposed to unnecessary risk.
One in five (21pc) CxOs we spoke to found the information management processes in their organisations too complicated and so chose to bypass them. A worrying 6pc were completely unaware of any processes governing information security. Company bosses, more than employees in any other roles, found procedures for information filing (16pc) and document retention (15pc) to be overly complex and chose to avoid them where possible.
Instead of leading by example, business leaders are guilty of sidestepping company policy to get things done or are simply unaware that what they are doing goes against any policy. Although our research found that CxOs top the list of information sinners in most information-handling scenarios, the actions of facilities managers reveal a similar story. Over half (56pc) admit to taking sensitive or confidential information out of the workplace and 48pc have sent sensitive information to the wrong recipient.
Departments tasked with handling sensitive information are also at fault. Nearly half (44pc) of HR staff said they were in possession of HR documents they should no longer hold under data retention regulations, 32pc of finance managers acknowledge the same with tax records and 47pc of legal professionals admit potential storage errors with contracts and other legal documents.
Administrative staff rate well in comparison but are still guilty of mismanaging information, with one in five (21pc) admitting to having mislaid data or sent it to the wrong person, and 15 per cent admitting to losing company documents in a public place.
The growing complexity
So what’s behind such widespread mismanagement of information and how can businesses change the culture and improve information management and handling practices among staff? It won’t be easy. The rise of cloud services and mobile device usage, along with the emergence of the Internet of Things (IoT) has led to an explosion in data generation within organisations. This has put pressure on people to manage more information than ever before. At the same time, business leaders want decisions to be data driven. As a result, employees must now analyse company information and find ways to derive insight from it while still understanding and ensuring compliance with data retention and protection regulations.
It is imperative that everyone within the organisation has a clear understanding of their responsibilities when it comes to managing the information they process or have access to – no matter what format it is in – as well as understanding the consequences for the business if that information is not managed correctly. But with time and resource pressures causing familiar strain across all sectors, good information governance is not necessarily a reality for many. Businesses need to foster a culture in which employees protect and value organisational information. This will require a continual cycle of information security training for all employees and it will need those at the very top to lead by example.
Information responsibility is shared by everyone: from the CEO and CIO, to sales, marketing, HR and even temporary staff. The basis of good information governance is comprehensive information management policies that covers all types of information, no matter whether it’s electronic or on paper and no matter where it resides, whether it’s in the office or in the cloud, on a USB stick or a laptop, stored in the home office or offsite with a trusted third party.
Making sure these policies are clear and easy to follow will encourage good information governance. In order to build an organisational culture that values and protects information, policy must be understood, followed and promoted by those at the very top of the business. This can be achieved through example, regular communication and training. When it comes to paper documents, off-site storage, in conditions compliant with relevant market regulations, will help the company to follow retention rules. A digitisation programme for frequently accessed or newly created information will also help to keep track of information and ensure it is stored centrally and compliant with relevant data protection laws.
Iron Mountain research with PwC showed around three quarters of companies (72pc in Europe and 79pc in North America) regard information as a business asset, yet on average just 35pc employ data analysts to extract the value from information and many (43 per cent) obtain little tangible benefit from their information. It is clear that companies still have a long way to go before they can overcome the challenge presented by the variety, volume and velocity of today’s flow of information.
Implementing a strong information governance policy requires a consistent, clear and cohesive approach to managing information in all formats. For business leaders in particular, this starts with getting their information management habits in order. Only then can they expect best practice to be followed throughout the organisation.
 The research was for Iron Mountain by Opinion Matters and questioned a total of 4006 workers in mid-market companies (with between 250 – 3,000 employees; 250-5,000 in North America) across the UK, France, Germany, The Netherlands, Belgium, Spain and North America.
 Seizing the information advantage: How organisations can unlock value and insight from the information they hold, Iron Mountain and PWC (2015)