ORGANISATIONS hold vast amounts of information; data that holds the key to new business ventures, enhanced customer engagement, increased productivity and competitive advantage. So why is it so many firms fail to treat information with the care and respect it demands?
With the recent explosion in digital communications, many European businesses appear to equate ‘information’ and its security with IT. In response, the IT department protects data by installing firewalls and anti-malware security to keep cyber-risks at bay. However, information includes spread-sheets and databases loaded onto PCs and laptops, as well as the mountains of paper documents crammed into folders and filing cabinets.
External threats are very real and need to be addressed, but a growing body of evidence shows employees could be the greatest risk to information exposure. While your business is looking the other way, valuable and confidential information is happily and often innocently leaving the office in somebody’s bag or laptop case.
The 2012 global data breach report by Verizon found that while just 4% of actual data breaches implicated insiders, the potential impact of theft by an employee was invariably greater than that of an external threat. This is because insiders are three times more likely to steal business-critical data. The reasons behind this could be that employees have a sense of ownership over information they were involved in creating, with some making off with customer database, plans and proposals.
The current competitive landscape means many organisations are fighting to win customer trust. Consequently, it is vital firms understand how employee behaviour is exposing the business to potential data breaches and corporate espionage. All companies should be aiming for the highest standards of information management and security. There are several easy, low-cost ways to reinforce information security in a business:
• Step 1: Make information risk a boardroom issue – ensure there is a senior individual on the board responsible for it, and that it is embedded into how the board monitors overall corporate performance.
• Step 2: Put the right HR and information policies and processes in place – and ensure these cover all information formats (electronic, paper or media). Also, define any vulnerabilities relating to manual information handling, establish whistle-blowing protocols, and review and test all systems and processes on a regular basis.
• Step 3: Change the workplace culture – design and deliver information security awareness programmes, have the right guidance available for every person at every level, and reward and reinforce good behaviours throughout the organisation.
Most employees do not take information out of malice, but because they are proud of the work they have produced. They understand its value and think it will be useful to them in the future. These are very positive foundations to build on – do not let the opportunity go to waste. Get your employees on board with a corporate information responsibility programme that will enable them to play a key role in mitigating information risk and keeping your critical information secure.
Rod Day, senior vice president and chief financial officer of Iron Mountain, Europe
Driving opportunity for all and empowering businesses for success are the key themes for the Sage Summit UK this year, which takes place on 5-6 April
The partnership will see PwC have 'physical presence' at CodeBase in Edinburgh
Unincorporated businesses under the VAT threshold given an extra year to prepare before MTD becomes mandatory
Simon Wright of CareersinAudit.com discusses how an effective cyber defence force is critical to businesses worldwide and how internal auditors can make the transition to a new career in cyber security