www.pwc.co.uk

Beyond cyberthreats:Europe’s First Information RiskMaturity Index

A PwC report in conjunctionwith Iron Mountain

March 2012

PwC Contents

Contents

Foreword 1

Executive summary 2

Information: a priceless resource 3

The mid market is at risk 5

The impact of not safeguarding your data 9

Responsibility for information risk 11

How well are businesses protecting themselves? 13

What are the best organisations doing? 17

Understanding the commercial benefit 19

A call to action 21

Appendix 23

Research methodology 24

Report authors 27

PwC 1

Information is the lifeblood of every business. Paper files and folders, back-up tapes and digitalarchives represent a treasure trove of customer insight, employee knowledge, businessintelligence and innovation. At the same time, information presents one of the greatest legal andreputational risks to businesses of all sizes. You only have to pick up a newspaper to see what canhappen to your customer relationships, brand reputation and sales if information is lost,damaged or exposed.

Like any other business asset your information is exposed to risk. You can only protect yourinformation if you know where the risks are, how likely they are to occur, and how best to managethem.

To understand the levels of information risk within European mid-market businesses’ and theircapability to mitigate against this, Iron Mountain commissioned PwC to study 600 mid-sizedbusinesses across Europe. The results reveal a deeply concerning picture of complacency,ignorance and lack of management that should sound an alarm bell across the Europeancommunity.

The findings are particularly worrying at a time when companies of all sizes and in all sectorsacross Europe are producing and processing electronic and paper records at ever-increasingspeed in an ever-more stringent regulatory environment.

Information risk is a board-level issue. If you only take one thing away from this report, it shouldbe an understanding that the key to managing information risk starts and finishes with yourpeople and business culture. Do not expect technology alone to solve the problem. People areoften the weakest link when it comes to information security, but they are also a company’s secretweapon when it comes to cost-effective information security management. Information riskmanagement should be part of the cultural DNA of your business and establishing a culture ofresponsibility can only be successful when the drive and example comes from the top.

We hope that this report will encourage you to review the approach your business takes toinformation risk and take on board the recommendations and practical steps suggested.

We hope you take action not simply because your customers are calling for it, or the legislatorsdemand it, but because it is the right thing to do. Take action because the success or even survivalof your business could depend on it.

Christian ToonHead of Information RiskIron Mountain Europe

Foreword

PwC 2

This report presents the findings from Europe’s first Information Risk Maturity Index. The Indexclearly shows that European mid-market businesses have a long way to go to bring theirinformation security practices up to acceptable standards.

Across our sample of 600 European businesses, the performance was poor, with an average indexscore of only 40.6 out of a maximum possible score of 100. In the current commercialenvironment, a score of anything less than 50 is bad news for companies, their customers andtheir collective peace of mind.

Our study reveals that 59% of businesses believe that investing in technology will facilitate dataprotection. This suggests, firstly, that data security is widely perceived by business as mainly anIT issue, which it is not. Secondly, and related to this, it suggests that investing in technology isoften perceived as the appropriate solution. However, this ignores a growing body of evidencewhich shows that one of the biggest threats to data security centres around corporate culture andemployee behaviour.

The evidence in this report illustrates why all businesses should take heed. The risks they face areextensive, with the potential to make the difference between success and failure.

Our study shows that over 60% of mid-cap businesses in the countries surveyed are not confidentthat their employees, or their executives, have access to the right tools to protect againstinformation risks.

Based on the findings of our Information Risk Maturity Index, we have identified a set of stepsand actions that, if put in place and frequently monitored, will help protect the digital and paperinformation held by businesses.

Step 1: Make information risk a boardroom issue – ensure that it’s a permanent pointon the Board’s agenda, that there’s a senior individual on the Board responsible for it,and that it is embedded into the Board’s dashboards that are used to monitor overallcorporate performance.

Step 2: Change the workplace culture – design and deliver information securityawareness programmes, have the right guidance available for every person and at everylevel, and reward and reinforce the good behaviours throughout the organisation, fromthe most junior employee to the most senior.

Step 3: Put the right policies and processes in place – and ensure these cover allinformation formats (electronic, paper or media), define any vulnerabilities relating tomanual information handling, establish whistle blowing protocols, and review and test allsystems and processes on a regular basis.

These actions are fundamentally about developing a business culture in which information riskawareness is at the core of day-to-day employee tasks and activities.

Businesses need to act, and they need to act now. Doing nothing is not an option. A step-changein business culture and employee behaviour is required. Anything less will simply not besufficient.

Executive summary

PwC 3

Information: a pricelessresource

“Information is a priceless resource that must beprotected. There’s currently a massive gap betweenwhat businesses are currently doing to protectthemselves, and what they should be doing.”

William BeerPwC One Security Director

Company A lost a USB stick containingcustomer profile data. This resulted inextensive adverse media coverage, andmore than £100,ooo in cash costs.

A courier carrying financial servicesback-up tapes was robbed. This led toseveral man-weeks of investigation tocheck that the data had not beenmisused.

Source: Information Security Breaches Survey(ISBS) 2010, Infosecurity Europe/PwC.

In June 2011, Nintendo joined on-line gamescompany Sony and US defence contractorLockheed Martin, in admitting that theirinformation had come under maliciousinternet attack. The announcement came justdays after the UK’s Chancellor of theExchequer, George Osborne, told aninternational conference that Britishgovernment computers receive over 20,000malicious email attacks every month.

The message is clear: no organisation, of anysize, in any sector and with information toprotect, is safe.

Customer records, internal data, paper anddigital, businesses handle a massive amountof data and information every day. Themismanagement and potential loss of thisinformation ruins brand reputations,undermines customer and stakeholderconfidence, removes competitive advantageand can cripple a business overnight.

The cost of rectifying the impact of thismismanagement can be huge. The capital andoperating costs alone can cause irreparabledamage, never mind the indirect or hiddencosts associated with brand damage, loss ofintellectual property or lost customerconfidence.

Yet data mismanagement and loss, includingsmall scale leakage, accidental deletion andhigh profile security breaches, is growingexponentially and this rise is expected tocontinue.

Our recent research study, commissioned byIron Mountain reveals, however that mid-market businesses are not good at managingand protecting their information. PwCconducted a survey of 600 mid-sizedbusinesses (those with 250-2,500 employees)across 6 European countries: the UK, France,Germany, the Netherlands, Spain andHungary. This paper explores the variousapproaches taken to protect and securebusiness information and reveals thatcomplacency, ignorance and poormanagement are widespread across the midmarket.

Our Information Risk Maturity Index puts aspotlight on the massive gap that existsbetween what businesses are currently doingand what they should be doing. It highlightsthat most midmarket businesses are notlooking after their (and their client’s) data atall well.

It highlights the widespread view thatinvesting in technological solutions to keepdata and information secure, is the answer.However the research also reveals a lack offocus on corporate culture and untrained,unmanaged and unchallenged employeebehaviours leaves the mid-market open to aPandora’s Box of risks and dangers.

In January 2011 the World Economic Forumnamed cyber attacks as one of the top fivethreats facing the world. This paper highlightsthat cyber attacks are not the only threat tothe integrity of information in the workplace.

Key study findingsOnly 50% of mid market businesses cited information risk as one of their top threeoverall business risks.

Just 36% of mid market businesses have a specific individual or team withresponsibility for information risk, and whose effectiveness is monitored.

PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 4

PwC 5

The mid market is at risk

“Business leaders ignore informationsecurity risk at their peril. Historicallybusiness leaders have tended to regardinformation security as a technology issue– as reflected by the traditional reportingchannels – but this is a completemisconception and needs to change.”

Richard SykesPwC Governance and Risk Compliance Leader

PwC’s recent study on information risk,commissioned by Iron Mountain,reveals that most mid-marketbusinesses are not good at protectingtheir data. Our Information RiskMaturity Index clearly shows thatEuropean mid-market businesses havea long way to go to bring theirinformation management practices upto acceptable standards. The indexmeasures the level of maturity ofbusiness practice in mitigatinginformation risk.

Across our sample of 600 businesses, theperformance was poor, with an average indexof only 40.6. In a commercial world where anygrowth is good growth and where the rebirthof the service culture is driving clientretention, anything less than 50 is bad newsfor companies, clients and their collectivepeace of mind.

So, 40.6 is a long way off the ideal worldwhere every business has a full suite ofstrategic, people, communications andsecurity measures to protect data andinformation in place.

Our Risk Maturity Index is based on a set ofmeasures that, if put in place and frequentlymonitored, will help protect the digital andpaper information held by an organisation.The index represents a balanced approach toinformation risk, including strategic, people,communications and security measures.

The full list of 34 measures aimed atminimising information risk, is set out in theappendix of this report. Some of the keymeasures are highlighted below.

Key elements of our Information Risk Maturity Index

Strategy

An information risk strategy. A corporate risk register. Secure disposal of technology hardware and confidential documents. A corporate risk register.

People

Internet usage and social media usage policy. Employee training programmes including induction and refresher courses on information

risk. Personnel background checks. A specific team responsible for information risk.

Communications

Employee communications programmes to reinforce information risk issues. Clear guidance on storage and safe disposal of physical and electronic documents.

Security

An inventory of locations where information is stored. Clear, updated and recognised data classifications. Control procedures for access to buildings, restricted areas, company archives etc. A centralised security information management database.

Key study findings60% of businesses were unsure whether their employees had the necessarytools to protect against information risks.

26% of business respondents do not conduct personnel background checks.

59% of businesses who experienced a data loss reacted by investing inprotective technology.

PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 6

PwC 7

Businesses that have most or all of themeasures in place, and regularly monitor theireffectiveness, will score between 90 and 100.The average score for our sample of 600European mid-market businesses is 40.6,illustrating the lack of attention being given tothis issue – and the potential for a realinformation crisis.

The index also highlights that the area

requiring most improvement relates to people

and communications. This supports further

evidence emerging from our study that mid-

market businesses are failing to recognise that

one of the biggest risks to information is

untrained, negligent and disgruntled staff.

The study also reveals that 59% of businessesbelieve that investing in technology willfacilitate data protection, suggesting that datasecurity is widely perceived as an IT issue andinvesting in technology is the appropriatepanacea. However, this ignores a growingbody of evidence that one of the biggestthreats to data security centres aroundcorporate culture and employee behaviour.

These same businesses remain unsure if theyhave appropriate tools in place to help theiremployees reduce the risk of data loss.Furthermore, they are not undertakingpersonnel background checks, and failing tomonitor the effectiveness of their informationrisk awareness programmes (where theyexist). In summary, a substantial number ofEuropean mid-market organisations fail torecognise that investing in employeeawareness and behavioural change will have agreater impact, lower cost and a more tangiblecommercial benefit than simply buyingtechnological solutions alone.

This awareness gap is supported by evidencefrom the Computer Security Institute’sComputer Crime and Security Survey, whichreported that less than 1% of security budgetsare allocated to awareness training. The studyfound that up to a quarter of businessesincurred more than 60% of their financiallosses from accidental breaches by insiders.

The risk of data loss is higher today than it hasever been. One of the biggest threats to anorganisation and its customer’s data is thebehaviour and attitudes of its employees. Thiscan be a result of many factors, some drivenby the culture of the organisation, someemployee centred and some a result ofexternal factors. We have identified 8 issuesconcerning employees that can, and often dolead to incidents of data loss.

1. Lack of awareness or lack ofunderstanding of the organisation’s dataprotection policies, data loss risks andtheir implications.

2. Lack of training in the use of datamanagement systems, leading to databeing mistakenly deleted or misplacedunknowingly.

3. Negligence on the part of the employee –talking too loudly on the train, leavingconfidential files in the bar on a Fridayevening, leaving confidential papers ondesks overnight.

4. Employee complacency and ‘it willnever happen to me’ attitude, leading tocarelessness and a lack of diligence such as‘forgetting’ to encrypt sensitive emails, notlocking confidential files away.

5. Misplaced curiosity, leading to dataloss mishaps or deletion of data.

6. Leavers - employees preparing to exit theorganisation, and taking data that may be‘useful’ in their new position.

7. Disgruntled and disengagedemployees who feel their employer ‘owesthem’. Such feelings may emanate fromunfulfilled promotion ambitions, payfreezes or perceived lack of appreciation ofthe employee’s efforts.

8. Malicious insider attacks fromemployees seeking to make profit fromtheir employer’s data, or wishing to causedamage to the organisation.

It is the final one of these, malicious attacks,that is commonly believed to be the main‘insider’ threat, however there is now strongevidence to show that the other seven aremore prevalent and potentially just asdamaging. Indeed all insider threats have thepotential to cause greater financial losses thanthreats which emanate from outside thebusiness.

However, the common element linking allseven high risk factors is behaviour.

Lack of training, poor communications, failureto set and enforce a company culture of ‘do itonce – do it right’, complacent management,supervisors and workers, all combine to createthe single greatest risk around the integrity ofinformation in the workplace.

Case study examplesIn February 2008, the Bank of New York Mellon sent 10 unencrypted backuptapes to a storage facility. When the storage firm's truck arrived at the facility,however, only nine tapes were still on board. The missing tape contained socialsecurity numbers and bank account information on 4.5 million customers.

HMRC lost the data of 15,000 people in 2007 after a hapless employee put adisc containing classified information in the post provoking a public outcry andwidespread negative media coverage.

PwC 8

PwC 9

The impact of notsafeguarding your data

“A breach of internal control at thiscompany resulted in a large fraud beingperpetrated over a long period of time.The losses were in excess of £500,000and the investigation cost more than£100,000.”

Source: Information Security Breaches Survey (ISBS) 2010, InfosecurityEurope/PwC

PwC 10

The impact of data loss or theft can be farreaching. Counting only the direct cost offixing the problem can be misleading. Manybusinesses are unaware of the significanthidden costs associated with data loss –hidden costs that can cause irreparabledamage to brand reputation, customerconfidence and public trust. Every businessthat holds customer or other sensitiveinformation is potentially at risk; and it’s onlya matter of time until their complacencymakes them a victim.

As the chart below highlights, the findingsfrom our study suggests that professionalliability or exposure and negative impacts tobusiness reputation are the most prominentimpacts for the mid-market market.

This finding was consistent across each of themarkets and sectors and illustrates thatbusinesses are conscious of the link betweennegligent internal practices and how they areperceived by their client’s customers ormarket peers.

The Infosecurity Europe Information SecurityBreaches Survey report has quantified themain impacts on small and medium sizebusinesses, and these are highlighted below:

Business disruption – on average 2-4 daysof lost business at an average cost of£15,000 - £30,000.

Incident response costs, mainly staff time -resulting in an average cost of £4,000-£7,000.

Direct financial loss, which may includefines, imposed by regulators andcompensation payments to customers – onaverage £3,000-£5,000.

Indirect financial loss such as the loss ofintellectual property, revenue leakage,brand damage – on average £10,000-£15,000.

Key study findingsAround six months ago an employee left their laptop in their car whilst out on a client visit and the car inwhich the laptop was in was stolen, which included a detailed supplier presentation. The major impactwas to our reputation as we had to postpone our supplier presentation, whilst we investigated the issueand prepared a new version. The supplier appeared understanding; however, without doubt this had anegative impact on our reputation in their eyes.

Insurance company, UK.

As a company we recognise that the information losses that we have suffered do not look good on us as abusiness and this has a negative impact on our reputation. We always go back to the employee that madethe error to make them aware of what they've done to help ensure that this is not repeated.

Financial services company, UK.PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 11

Responsibility forinformation risk

“If you think technology can solve yoursecurity problems, then you don’tunderstand the problems and you don’tunderstand the technology.”

Bruce SchneierInternational security technologist and author

PwC 12

Despite the global impact of information anddata loss, startlingly, only 1% of mid-marketbusinesses see information risk as being theresponsibility of everyone in the organisation.More worryingly, only 13% see this as aboardroom issue, and have assigned theoverall responsibility for information riskmatters to the CEO or CFO.

A significant proportion (35%) continue toview information risk and data protection asan IT issue and have placed the responsibilityin the hands IT security manager. The legaland insurance sectors are more likely to takean IT-led approach, with financial andmanufacturing leading the way with a moreholistic approach to avoiding data loss.

This lack of boardroom involvement and lackof ownership outside IT is deeply concerning.The findings illustrate both the high levels ofcomplacency and low levels of understandingof the risks involved.

These findings illustrate the quandary mostorganisations face in the modern world. Thereis little doubt the risk/reward matrix favoursthe remote hacker, cyber criminal andeconomic criminal and this is where thegreatest focus is in terms of protecting digitaldata in an increasingly digital world.

And while those threats cannot and should notbe diminished, the focus and priority theyreceive often serve to reduce the day-to-dayreality that statistically, an untrained andpoorly managed employee is more likely tomishandle information. The 1% who agreethat everyone shares the problem just servesto underline the magnitude of the threat.

Clearly it is time for businesses to wake up tothe fact that investing in IT systems, whilstimportant, will not solve the whole problem.

Key study findings35% view information risk as the responsibility of the IT security manager.

Only 1% of mid-market businesses see information risk as being theresponsibility of everyone.

PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 13

How well are businessesprotecting themselves?

“What is required now is a newapproach in which an investment inunderstanding and influencing thebehaviours of all those concerned isbalanced against the continuedinvestment in technology andprocesses.”

PwC Report, Protecting Your Business: Turning your people into yourfirst line of defence

PwC 14

Our survey shows that over 60% of businessessurveyed are not confident that theiremployees, or their executives, have access tothe right tools to protect against informationrisks.

When asked what people measures they haveput in place to minimise information risk, onlya third of businesses in the survey hadimplemented each of the following and wereactively monitoring its effectiveness. Theremaining majority are clearly at risk, and incomplacency mode, believing ‘it will neverhappen to me.’

1. Information risk awareness included ininduction programmes.

2. Ongoing training and awarenessprogrammes for all staff.

3. Personnel background checks.

4. An internet and social media usage policyfor all staff.

5. A code of conduct around employeebehaviours in relation to information.

6. Easily available information foremployees to refer to.

7. Tools to measure employee confidence ininformation risk procedures.

8. Employee communications programmeson information risk.

9. Employee guidance on procedures forsafe disposal of physical and electronicdata.

Businesses think the right thing to do is toinvest in technological solutions to protecttheir data and information. 59% of businesseswho experienced a data loss reacted byinvesting in protective technologies.

Industry sector variancesFrom a sectoral perspective, financial servicesand pharmaceuticals are the strongest sectorswith legal falling some way behind. If we takethe pharmaceutical sector for example, thissector is typically protective of its IntellectualProperty (IP) largely as a result of the strengthof various patents, which may in part explainits stronger overall performance on our index.

In a similar way, the financial services sectoris highly regulated across Europe, with theimpacts of data loss or mismanagementextremely high in terms of both reputationaland financial costs.

In contrast, the legal sector, whilst inpossession of a wide range of data andinformation, usually clients rather than itsown, is predicated on a tradition of originaldocumentation. Legal companies are oftenhighly reliant on such original documentationwhich may help to explain why its index scoreis comparatively lower than those sectors,including financial services andpharmaceuticals, which do not have suchreliance to the same extent.

In all sectors and countries, communication

and measures to minimise the people risks are

the areas requiring most attention.

Overall mid-cap businesses are failing to

recognise that investment in employee

awareness and behavioural change will have a

greater impact, will cost less and will have a

greater commercial benefit than technological

solutions alone.

Key study findingsI became aware that an appointed Consultant had accessed confidential information beyondtheir responsibilities, which could have had huge impacts if this was to be released to ourcompetitors. In a strange way this example was quite reassuring, as it at least showed me thatour systems, aimed at detecting this sort of unauthorised access, were at least workingeffectively.

Manufacturing company, Netherlands.

Just 36% of mid market businesses have an information risk strategy or approach in place,which is effectively monitored.

PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 15

“Lack of knowledge, the complexity ofprotection and the problems of gettingsenior management to take notice arefundamental issues that must beaddressed.”

Christian ToonHead of Information RiskIron Mountain

Key study findingsJust 17% of UK businesses had a formal business recovery plan that waseffectively monitored.

27% from the legal sector had no training programmes in place to briefemployees on information risk issues.

42% of Hungarian businesses had an information risk strategy or approach inplace and monitored its effectiveness.

PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 16

Country variancesWhilst all of the countries surveyed require ahuge step change in the way that they treatinformation risk, Hungary is in the strongestposition, with businesses there more likely tohave training programmes, clear guidance,codes of conduct and employeecommunication programmes in place. TheUK is consistently below par on the peopleissues.

“The contrast between Hungary – with itshigh level of ISO certification andmonitored policies – and countries like theUK, where 41% of respondents don’t evenknow if they have experienced a databreach, is concerning.”

Christian ToonHead of Information RiskIron Mountain

PwC 17

What are the bestorganisations doing?

“We have an information securitystrategy... together with ongoingcommunications with our employees and arestricted access policy to systems whichhold client information. The importance ofrespect for these measures is included inemployee interviews and initial training.”

Financial services company, The Netherlands.

PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 18

Businesses that are good at protecting theirdata are more focussed not only on developingthe right behaviours amongst their employees,but are also more clued-in to the commercialbenefits of having a comprehensiveinformation risk strategy in place. Suchbusinesses realise that customers andsuppliers would rather do business withcompanies they can trust to look after theirdata and keep it secure. They are very aware ofthe competitive advantage that an effectiveinformation risk management and securitystrategy can bring.

The front-runners - businesses that lead theway in information and data security typicallyexhibit a number of features. Firstly they haveprioritised the importance of information riskby allocating overall responsibility at c-suitelevel, typically to the CEO or CFO. Frontrunners also have a team (or individual,depending on the size of the business) in placewhose responsibility it is to manageinformation risk. This is not a team ofcomprised solely of IT professionals.

The businesses who do this well will put inplace a team combining technological focusand strong people skills. The third key factoris continual vigilance - having in place, andregularly monitoring the effectiveness of, acomprehensive well thought-out informationrisk strategy that takes a balanced approachinvolving investment in people, processes andtechnology.

Our research reveals that these front runnersnot only have fewer incidents of data loss, butare also more aware of the number and typesof incidents they have experienced. They arebetter equipped to deal with problems whenthey occur.

Incident awareness should not beunderstated, as extensive research intoeconomic crime and cyber crime repeatedlywarns that most organisations are actuallyunaware of the number of security breaches,with many unaware that they have beenbreached until told by regulators, securityorganisations – or the media.

Such good practice is most likely to be found

in the financial services sector, and in

Hungary and the Netherlands. The UK has the

lowest incidence of front runners and linked

to this, the largest number of businesses (41%)

who don’t know if they have lost any data or

not. Unfortunately, in the mid-cap sector,

businesses that look after their data well are

few and far between.

Front runners: how arethey different?

• They treat information risk as aboardroom issue.

• They have a multi-disciplinary team incharge of information risk.

• They have a balanced informationstrategy and they monitor itseffectiveness.

Key study findingsDetailed customer information was lost by one of our sales people offsite. Bylosing the details of the customers’ orders and requirements we lost theirconfidence, and that had a direct impact on our order book.

Manufacturing company, UK.

71% of businesses that we categorised as 'front-runners’ have not reported adata or information loss within the past three years, much higher than theother respondent groups.

41% of UK businesses surveyed did not know or were unsure as to whetherthey had suffered any data loss incidents within the past three years.

PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 19

Understanding thecommercial benefit

“The true value of information to businessis often overlooked. This leads toinadequate protection against risks tocorporate reputation. If the businesscommunity would only wake up toinformation risk management, it wouldsee greater business reward.”

Marc DualePresident of International, Iron Mountain

PwC 20

The Index confirms that the market drivesaction. Businesses were more likely toimplement an information risk strategy tomeet their client’s demands or gaincompetitive advantage, rather than respond tolegal or regulatory policy.

More than half of businesses surveyedmentioned commercial factors as the mainreason for putting in place an information riskplan or strategy.

However, companies that did implement aninformation risk strategy – regardless of thereason – were much better equipped to resistcyber attack, mismanagement of data by staffand data mishaps.

Commercial pressures remain a significantdriver of compliance. It is our view that clientcompanies should demand higher levels ofcompliance. This could be enforced through acontractual requirement. If more clients,customers and suppliers made better datamanagement a condition of doing business,standards would improve.

But how are clients to know whatdifferentiates front-runners from followers?The answer is often, regrettably, they can’t.However, anecdotal evidence suggests that thebest clients and the front-runners enjoy asymbiotic relationship, where clients ask keyquestions – similar to the questions in oursurvey – with the answers driving even greaterlevels of service provision amongst the front-runners.

This Index also supports and builds on theview that the commercial benefits of a wellformulated and executed strategy to developthe right behaviours, compare very favourablywith those from an increase in the level ofinvestment in technology based solutions.

A well thought out approach to developing the

right behaviours will ensure that all employees

will be alert to risks, will want to act to protect

their employers’ data and will know that they

will be actively supported in doing so.

What are thecommercial benefits?

• Competitive advantage

• Meeting client requirements

• Avoidance of reputational damage

• Better placed to win work form clients

• Stronger, more trusted brand

Key study findingsMore than half of the respondent businesses cited commercial factors as the mainreasons for putting an information risk plan or strategy in place.

External auditors visited our office to conduct an independent audit concerning theextent of compliance with the firm’s clear-desk policy. The subsequent report foundthat a number of employees had ignored this policy, with sensitive client informationfound to be easily visible to external office visitors which could have had seriousimpacts if stolen or removed from the office. The Audit Commission issued us with astern rebuke.

This was very embarrassing and resulted in a series of employee communications fromthe Board of Directors reiterating the importance of complying with the policy and thatthis would be monitored closely by the senior leadership.

Financial services company, UK.PwC/Iron Mountain Information Risk Study, 2011/12.

PwC 21

A call to action

“The business needs to act, and it needs toact now. Doing nothing is not an option.Many of the actions are straightforward todeliver and can have a big impact. But it’sclear that business culture and employeebehaviour both need to change.”

William BeerPwC One Security Director

PwC 22

In our view the following steps, ifimplemented and effectively monitored, willsignificantly help prepare and equip the mid-market business community to meet thethreats posed from information risks.

Step 1: Make information risk a boardroomissue.

Make it a permanent Board agenda point.

Identify an individual to takeaccountability and responsibility.

Articulate information risk in a languagethe Board will relate to – the financialimplications of not safeguardinginformation.

Include information risk on your riskregister, and provide regular status reportsto the Board.

Embed it into your existing practices andcreate monthly dashboards to monitorprogress.

Step 2: Change the workplace culture

People are the weakest link – screen allapplicants before offering employment.Re-screen at regular intervals.

Design and run well thought outinformation risk awareness programmes,starting at induction and with annualrefresher courses. Support traininginitiatives with security briefs, and mix thedelivery channel to keep it interesting.

Reward and reinforce good behaviours.Enforce sanctions for failure.

Identify individuals throughout theorganisation to champion informationsecurity.

Put effective communication channels inplace to communicate new messages. Toomuch communication and the message islost, too little and it doesn’t get through.Enable a two way communication process.

Have user friendly and easy to accessguidance information available. Everyworkstation should have clear guidance fordata handling.

Embed information risk into the dailyroutines of employees e.g. clear deskpolicies, document shredding, use ofconfidential storage.

Build information risk into staff objectivesand embed into annual performancereviews.

There is always a better mousetrap – findit. Identify technology that is fit forpurpose and secure enough for your needs.When it is implemented maintain it, andensure that you get sufficient logs andrecords from your systems. You need toknow when something goes wrong and thisinformation will support yourinvestigation.

Step 3: Put the right policies and processes

in place

Ensure that you include all informationformats – electronic, paper or media.

Secure duplicates and originals in the sameway.

Undertake detailed assessment of currentand future needs, threats, risks anddetermine the best course of action.

Make sure you have the correct accesspolicies and retention periods.

Identify information asset ownership.

Test systems regularly.

Identify all manual information handlingand define vulnerabilities.

What happens when the technology fallsover? Establish whistleblower protocolsand be prepared to use them.

Build your processes with informationsecurity at the core. That way it is not seenas a burden on the day to day business.

PwC 23

Appendix

PwC 24

IntroductionIn order to support this paper, PwC and IronMountain developed a detailed and robustresearch methodology to support theconclusions presented. In the first instance,we worked closely with Iron Mountain todevelop a comprehensive questionnaire whichwas largely based around the key themes ofthe paper, in terms of the extent andeffectiveness of business approaches tomanaging information risks from a people,communications and security perspective. Thequestionnaire was designed by PwC’s in houseteam of research specialists with expertinsight and contributions from the PwC RiskAssurance team, led by William Beer.

We also worked very closely with our researchpartner, Coleman Parkes, to ensure that thedesign of the questionnaire was in acompatible format to be uploaded to theircomputer assisted telephone interviewingsuite (CATI) and that this was made availablein the native languages of our respondentsample base.

Overview of our approachThe research methodology consisted of thefollowing:

A telephone survey of senior businessexecutives from the mid-cap market.

The completion of a total of 600 depthinterviews with respondents from the UK,Germany, France, The Netherlands, Spainand Hungary and representative of theFinancial Services, Insurance, Legal,Manufacturing and Engineering andPharmaceutical sectors.

A programme of 14 qualitative depthinterviews, with senior business personnelacross the same markets and sectors, toprobe some of the key issues in moredetail.

Who did we speak to?Respondents to the telephone survey weretypically CEO’s, CFO’s, CIO’s and Directors inorder to provide a senior business perspectiveand insight into the nature and extent of themost pressing information risks and of howthese are being managed at a senior level.

The telephone interviews were conductedproportionally with respondents from the keymarkets and sectors in order to allow for adetailed level of comparative analysis to beundertaken at this level.

The qualitative strand of the study probedsome of the key issues identified in thetelephone survey in a more detailed way,particularly in terms of the prevalence ofinformation and data losses together with thesteps and corrective actions that thesebusinesses have sought to put in place tominimise the occurrence of such incidents orlosses.

In order to develop as much insight from each

strand of this study, we embarked upon a

comprehensive “mine” of the data by

supplementing the topline findings with

specific cuts, particularly in terms of market

and sector specific trends as well as drawing

comparisons with previously published

reports.

As part of our methodology, we also devisedan information risk maturity index. This indexwas populated through applying a weightedaverage of each individual company responseto 34 statements which were included in ourstudy. The 34 statements were grouped underthe four defined business areas of ‘strategy’,‘people’, ‘communications’ and ‘security’ andcategorised as follows:

Research methodology

PwC 25

Which of the following doesyour organisation have inplace?

Strategy

1. An information risk strategy or approachin place?

2. A formal business recovery plan orstrategy?

3. A contingency plan to respond to small-scale information 'mishaps' or datalosses?

4. Regular privacy policy reviews?

5. A corporate risk register?

6. An information security strategy coveringmobile, personal devices and laptopsecurity?

7. A strategy for managing structured andunstructured information in digital andphysical forms across multiple locations?

8. A strategy for the secure disposal oftechnology hardware and confidentialdocuments?

9. A strategy that prioritises access tobusiness-critical and highest riskdocuments that arise most often incompliance requests?

People

10. A specific individual or team responsiblefor information risk within yourorganisation?

11. An exit process for employees who leaveyour organisation to prevent the stealingor copying of information?

12. Training programmes to brief employeeson information risk issues?

13. Information risk awareness included aspart of induction training?

14. Ongoing 'refresher' trainingprogrammes?

15. Effective computer-based informationrisk training programmes?

16. Personnel background checks?

17. A code of conduct concerning the correctbehaviours for all employees?

18. A tool to measure employee confidence inthe effectiveness of your information riskactivities?

19. An internet usage policy for all staff?

20. A Social Media usage policy for all staff(for example, Facebook, Twitter andLinkedIn)?

Communications

21. Availability of easily accessible riskinformation for all employees?

22. Employee communication programmesto reinforce information risk procedures?

23. Clear employee guidance on internalprocedures for the safe disposal andstorage of physical documents?

24. Clear employee guidance on internalprocedures for the safe disposal andstorage of electronic documents?

1

2

3

PwC 26

Security

25. Company policies for the safe security,storage and disposal of confidentialinformation?

26. Due diligence programmes regarding thehandling of personal, customer oremployee information?

27. An inventory of the locations of whereyour information is stored?

28. A centralised security informationmanagement database?

29. Technology to look at intrusion detectionsystems and intrusion preventionsystems?

30. Third party validation, for examplepenetration testing?

31. Clear, updated and recognised dataclassifications?

32. Control procedures in terms of access tobuildings, restricted areas, companyarchives and other sensitive information?

33. The use of different rules and processesfor storing data taking into accountdifferent document retention periods anddata protection requirements?

34. Incident notification processes, forexample, how to spot something thatshouldn't be there?

4

PwC 27

David ArmstrongPartner, PwC International Survey Unit

T: +44 (0)28 90 245454

M: +44 (0)7713 680266

david.m.armstrong@uk.pwc.com

William BeerDirector, PwC One Security

T: +44 (0)207 2127337

M: +44 (0)7841 563890

william.m.beer@uk.pwc.com

William RimingtonSenior Manager, PwC Risk Assurance

T: +44 (0)207 2121027

M: +44 (0)7843 329723

william.j.rimington@uk.pwc.com

Julie McCleanSenior Manager, PwC International Survey Unit

T: +44 (0)28 90 245454

M: +44 (0)7738 313241

julie.mcclean@uk.pwc.com

Kieran JonesSenior Associate, PwC International Survey Unit

T: +44 (0)28 90 245454

M: +44 (0)7845 635383

kieran.p.jones@uk.pwc.com

Report authors

www.pwc.co.uk

This publication has been prepared for general guidance on matters of interest only, and does notconstitute professional advice. You should not act upon the information contained in this publication withoutobtaining specific professional advice. No representation or warranty (express or implied) is given as to theaccuracy or completeness of the information contained in this publication, and, to the extent permitted bylaw, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume anyliability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining toact, in reliance on the information contained in this publication or for any decision based on it.

© 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers toPricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom), which is a member firmof PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Design: RD-2012-02-22-10 50-VC