For third year running, UK firms have fallen behind their European counterparts when it comes to managing and responding to information risk.
UK mid-market firms were given a score of 55.9 out of 100 this year in the latest Information Risk Maturity Index from security firm Iron Mountain and global business consultants PwC.
This puts them far behind leading European country Hungary, which had a score of 60.2, and is not not much improvement from last year’s UK score of 55.4.
Despite a string of high-profile data breaches and upcoming reforms to EU data protection legislation, businesses appear to have reached a plateau and may not be fully equipped for cyber security risk.
‘UK firms have some way to go if they are to catch up with their European counterparts,’ said Phil Greenwood, commercial director at Iron Mountain. ‘For the third year running they have failed to match the average European score. It is critical that companies address this if they are to adopt a responsible-yet-proactive approach to information risk and value, not just to protect the business, but to help it thrive.’
Based on the findings of the Information Risk Maturity Index, Iron Mountain has identified a set of steps and actions to help businesses improve their data security.
This includes making information risk a boardroom issue by ensuring that it is a permanent point on the board’s agenda, that there is a senior individual on the Board responsible for it, and that it is embedded into how the Board monitors overall corporate performance.
It also advises a change in workplace culture, and stresses the importance of designing and delivering information security awareness programmes, having the right guidance available for every person at every level, and rewarding and reinforcing good behaviours throughout the organisation, from the most junior to the most senior employee.
Lastly, businesses need to put the right policies and processes in place – and ensure these cover all information formats (electronic, paper or media). Also, it is important to define any vulnerabilities relating to manual information handling, establish whistle blowing protocols, and review and test all systems and processes on a regular basis.