Iron Mountain report: IS will be responsibility of entire business

Organisations have to consider the responsibility of knowledge risk outside of the IT department.

According to information risk management company Iron Mountain, medium-sized enterprises (with 250-2,500 employees) should change the way in which they manage information risk and take greater corporate responsibility.

Speaking to SC Magazine, Christian Toon, head of knowledge security at Iron Mountain, said corporate responsibility for it's going to not only sit with IT and the point of interest must be wider.

He said: “It should be inside the boardroom and organisations must discuss this. They have to have the fitting individual responsibility and accessibility in place, and take the problem of risk out of IT.”

An Iron Mountain and PwC report released today highlights an urgent need for a metamorphosis in employee behaviour and a cultural shift among senior executives if organisations are to conquer the complacency, negligence and absence of shared responsibility uncovered by the study.

It found that just one per cent of respondents consider information risk to be the responsibility of each employee. The survey of 600 C-level executives at European businesses found that 99 per cent believe it's "someone else's problem", in line with Toon. He added that that there must be a decision to action for everybody in an organisation to become accountable for information security.

The report also found that only 13 per cent of respondents consider information risk to be a boardroom issue, while greater than a 3rd (35 per cent) view all information risk, whether regarding paper or digital information, because the responsibility of the IT department.

It also found that 76 per cent of companies were unaware to whether they'd experienced a knowledge breach beforehand three years, while 59 per cent responded to an information breach by installing additional technology.

The 2012 Verizon data breach investigations report, released yesterday, revealed that 38 per cent of respondents were accustomed to data exfiltration in minutes, while 25 per cent were conversant in it within days.

Toon said: “A quarter of companies were unable to provide a solution as to if they were experiencing a knowledge breach or not. With the proposed changes to the eu Data Protection Directive, businesses should report data breaches within 24 hours.

“Businesses are changing solutions counting on market needs, but they wish a risk-based approach. Securing the digital fortress isn't enough and maybe physical access ought to be addressed.”

Iron Mountain has unveiled an "Information Risk Maturity Index", which makes three recommendations: make information risk a boardroom issue; change the workplace culture; and put the proper policies and processes in place.

William Beer, a director in PwC's UK cyber and data security practice, said: “Good information security requires three elements: people, processes and technology. Companies too often put money into technology to resolve the perceived issue, but technology isn't the silver bullet.

“Mid-sized companies that do not necessarily have the financial resources, but do have the need and agility to alter, could make an incredible improvement by transforming the culture from the highest, putting new procedures in place and educating their staff.”