Today, businesses are largely aware of the information risks they face. Indeed, we have seen information risk awareness grow significantly over the past few years. This growth is probably consequence of the adverse publicity surrounding data leaks, the growing fines imposed on organisations that fail to hold personal information safe, and the proposed high-profile changes to European data and protection laws.
After waking up to the risks, many businesses took the initial steps to create policies and processes to address the perceived threats. However, the next important step – to make sure that the these policies and processes are implemented and, importantly, monitored ‒ does not come quite so easily for the majority of businesses.
Good intentions should be the start, not the destination, of the journey to managing information risk. Our recent research with PwC concluded that organisations find themselves unable to bridge the gap between having a well-intentioned plan or policy in place and making sure it actually works. There are countless examples throughout the research that clearly illustrate this point.
As you can see from this slide, four in five of the business leaders questioned in the research (81 per cent) said they had a policy in place for the secure storage and disposal of confidential information. More than half (54%), however, do not monitor its effectiveness. It is extremely concerning that 1 in 5 businesses still don’t have this in place. If you find yourself here, you should talk to Iron Mountain.
We could conclude that less than a third of the businesses we surveyed can be confident they store and dispose of their confidential information effectively.
Whether we are talking about security, people, communications or strategy, time and time again we see this gap between good intention and effective, monitored implementation. Policy and process are extremely important and have to be addressed, but they remain pointless if they are not communicated, monitored and enforced. If they have no audience, then perhaps they are not worth the paper they are written on.