Well-managed information has become a precious business asset. Inevitably, as it becomes more valuable, information becomes more vulnerable. Data breaches, cyber-threats and fraud are all on the rise. Such malicious threats combined with human error are exposing points of weakness in a fast-changing, complex information landscape and are putting brand reputation on the line. Against a regulatory backdrop that is not always clear, companies are struggling to cope with the need to manage legacy archives along with the exploding volume of data generated by new technologies. As a consequence, businesses are facing unprecedented levels of information risk. A new report by information storage and management company Iron Mountain and PwC reveals some significant differences in the way younger and older firms perceive and address their information risk. Each side has important insight to offer the other.
Things that older firms can teach younger firms:
1 Having a plan is as important as ‘getting the job done’.
Just under half (49 per cent) of younger firms – those which have operated for between two to five years – admit freely that they are much better at doing things than they are at strategic planning. Older firms on the other hand – those that have been in business for a decade or more – appear to have learned that knowing why you do something is just as important as what you do, with over half (56 per cent) having a monitored information risk strategy in place, compared to just 14 per cent of younger firms.
2 It is all right to be cautious about trusting employees with information.
Younger firms are far more trusting when it comes to their employees and their data. Just 18 per cent believe employees are a threat to information security, and only half have an employee code of conduct; while a more significant 42 per cent of older firms see employees as a threat and two thirds have an employee code of conduct in place. If caution leads to codes, guidelines and training to help employees better understand the risks and protect information then caution should be encouraged and applauded.
3 Things can and probably will go wrong, so it pays to prepare.
Older firms are nearly three times more likely to have a business recovery plan in place (66 per cent set against 27 per cent for younger firms.) Without such a plan, any disaster could leave a firm disabled and exposed to a data breach or other information loss from which it might never recover.
4 You need to check what works.
The study reveals that older firms are around twice as likely to monitor the effectiveness of any measure they introduce. Failure to check could mean younger firms are wasting resources or undertaking fruitless tick-box exercises that have little or no impact on risk reduction.
5 Information risk should be a Boardroom issue.
Half of younger firms say the Board does not see information security as a big issue, whereas the boards of the mature business are far more likely to see information risk as worthy of their attention. Senior-level support is critical if information risk is to be taken seriously.
6 Mitigating information risk should be a concern for every employee.
Despite trusting their employees more, just over half (52 per cent) of younger firms say employees do not see data protection as a big issue. These firms are, it seems, quite willing to trust people who they suspect might not be concerned about keeping company information secure. Two thirds of the mature businesses surveyed say employees do regard information security as a serious concern.
Some interesting points that both young and old firms should pay attention to:
7 Today’s complex world of hybrid information is here to stay.
Younger firms are more likely to feel comfortable managing structured and unstructured information in digital and physical formats across multiple locations (55 per cent compared to 38 per cent for older firms.) This multi-format, multi-channel data world is the new reality; there is no turning back, so you might as well embrace it.
8 The personal/business boundaries in social media remain fluid and it is worth taking the time to get it right.
The boundaries between personal and business use of social media are still evolving and represent a potential legal and data protection nightmare for unwary firms. The general confusion and uncertainty about the use of social media can be seen from the widely varying approaches and preferences uncovered by our research. For example, our study found that over half (59 per cent) of younger firms monitor employees’ social media usage, compared to just 36 per cent of older firms. Younger firms pay significant attention to Facebook (73 per cent), with older firms twice as likely to monitor activity on LinkedIn (67 per cent.) Yet this pattern reverses when it comes to recruitment, with a third (31 per cent) of older firms reviewing candidates on Facebook compared to just 10 per cent of younger firms; and 82 per cent of younger firms reviewing candidate entries on LinkedIn, compared to just 46 per cent of older ones. How much useful insight can be gained from any of this remains unclear.
9. Money isn’t everything: the greatest victim of a data breach could be your reputation.
All firms agree that the impact of a data breach will touch customer loyalty (58 per cent for both) and brand reputation (52 per cent for both), but older firms are nearly twice as likely to be concerned about financial and legal consequences.
10. When it comes to risk, it may not be worth cutting corners.
Just three per cent of younger firms agree strongly that cutting cost is more important than reducing risk, compared to 28 per cent of older firms. Perhaps this is because two thirds of older firms believe the risk of a data breach to be low, compared to a third of younger ones – who are also more likely to feel overwhelmed by the ever growing risk of a data breach and the relentless pace of change.
Information risk touches us all. Just as firms hold their employees’ and suppliers’ data, not to mention their own precious knowledge and intellectual property, many also hold personal information about us as the consumers of their products and services. This information needs and deserves to be protected. Achieving that means seizing every opportunity to discover how best to reduce risk. When it comes to best practice and managing information risk it would appear that firms have much to learn from each other.