The Risk Maturity Index is the result of a survey of 600 mid-sized companies (250 to 2500 employees) in the UK, France, Germany, the Netherlands, Spain and Hungary, and is published in a new report, Beyond cyber threats, Europe’s first information risk maturity index. The index is based on a weighted risk maturity excellence model comprising four separate elements: strategy, people, communications and security. Scores in each of these areas are applied to individual companies, with a score of 100 being excellent. “A score of anything less than 50,” says the report, “is bad news for companies, their customers and their collective peace of mind.”
The average score across European companies is just 40.6.
These findings “are particularly worrying,” says Christian Toon, head of information risk at Iron Mountain, “when companies of all sizes and in all sectors across Europe are producing and processing electronic and paper documents at ever-increasing speed in an evermore stringent regulatory environment”
“Business needs to act, and it needs to act now,” adds PwC One security director William Beer.
Iron Mountain has related the current scores of the majority of European SMEs and developed a three-step process designed to get companies nearer to the ‘excellent’ benchmark. These are first, make information risk a boardroom issue: identify an individual to take accountability and responsibility. This mirrors EU calls for companies and organizations to have a security champion, and is supported by Symantec/Ponemon figures that suggest merely having such a champion can reduce the cost per lost record from a security breach by £18.
Second, says Iron Mountain, change the workplace culture. Screen applicants, develop security awareness programs, reward good behavior, and put effective two-way communications in place. In short, says the report, “embed information risk into the daily routines of employees.”
The final step is to put the right policies and processes in place. This is where security technology can be used, but it should support policy, not replace it. One of the key findings of the report is a widely held belief that technology will protect data. “However,” it notes, “this ignores a growing body of evidence which shows that one of the biggest threats to data security centres around corporate culture and employee behaviour.”
“Historically,” says Richard Sykes, PwC governance and risk compliance leader, “business leaders have tended to regard information security as a technology issue – as reflected by the traditional reporting channels – but this is a complete misconception and needs to change.” This report shows that changes in culture and behavior are likely to have the greatest effect in improving what is currently an unacceptable level of risk maturity in European SMEs.