Europe’s First Information Risk Maturity Index
A PwC Report In Conjunction With Iron Mountain
Information is the lifeblood of every business. Paper files and folders, back-up tapes and digital
archives represent a treasure trove of customer insight, employee knowledge, business
intelligence and innovation. At the same time, information presents one of the greatest legal and
reputational risks to businesses of all sizes. You only have to pick up a newspaper to see what can
happen to your customer relationships, brand reputation and sales if information is lost,
damaged or exposed.
Like any other business asset your information is exposed to risk. You can only protect your
information if you know where the risks are, how likely they are to occur, and how best to manage
To understand the levels of information risk within European mid-market businesses’ and their
capability to mitigate against this, Iron Mountain commissioned PwC to study 600 mid-sized
businesses across Europe. The results reveal a deeply concerning picture of complacency,
ignorance and lack of management that should sound an alarm bell across the European
The findings are particularly worrying at a time when companies of all sizes and in all sectors
across Europe are producing and processing electronic and paper records at ever-increasing speed
in an ever-more stringent regulatory environment.
Information risk is a board-level issue. If you only take one thing away from this report, it should
be an understanding that the key to managing information risk starts and finishes with your
people and business culture. Do not expect technology alone to solve the problem. People are
often the weakest link when it comes to information security, but they are also a company’s secret
weapon when it comes to cost-effective information security management. Information risk
management should be part of the cultural DNA of your business and establishing a culture of
responsibility can only be successful when the drive and example comes from the top.
We hope that this report will encourage you to review the approach your business
takes to information risk and take on board the recommendations and practical steps suggested.
We hope you take action not simply because your customers are calling for it, or the legislators demand it,
but because it is the right thing to do. Take action because the success or even survival of your business could depend on it.
Head of Information Risk
Iron Mountain Europe
This report presents the findings from Europe’s first Information Risk Maturity Index.
The Index clearly shows that European mid-market businesses have a long way to go to bring their
information security practices up to acceptable standards.
Across our sample of 600 European businesses, the performance was poor, with an average index score of only 40.6
out of a maximum possible score of 100. In the current commercial
environment, a score of anything less than 50 is bad news for companies, their customers and their collective peace of mind.
Our study reveals that 59% of businesses believe that investing in technology will facilitate data
protection. This suggests, firstly, that data security is widely perceived by business as mainly an
IT issue, which it is not. Secondly, and related to this, it suggests that investing in technology is
often perceived as the appropriate solution. However, this ignores a growing body of evidence
which shows that one of the biggest threats to data security centres around corporate culture and
The evidence in this report illustrates why all businesses should take heed.
The risks they face are extensive, with the potential to make the difference between success and failure.
Our study shows that over 60% of mid-cap businesses in the countries surveyed are not confident that their employees,
or their executives, have access to the right tools to protect against information risks.
Based on the findings of our Information Risk Maturity Index, we have identified a set of steps and actions that,
if put in place and frequently monitored, will help protect the digital and paper information held by businesses.
- Step 1: Make information risk a boardroom issue - ensure that it’s a permanent point
on the Board’s agenda, that there’s a senior individual on the Board responsible for it,
and that it is embedded into the Board’s dashboards that are used to monitor overall
- Step 2: Change the workplace culture - design and deliver information security
awareness programmes, have the right guidance available for every person and at every level,
and reward and reinforce the good behaviours throughout the organisation, from the most junior employee to the most senior.
- Step 3: Put the right policies and processes in place - and ensure these cover all
information formats (electronic, paper or media), define any vulnerabilities relating to
manual information handling, establish whistle blowing protocols, and review and test all systems and processes on a regular basis.
These actions are fundamentally about developing a business culture in which information
risk awareness is at the core of day-to-day employee tasks and activities.
Businesses need to act, and they need to act now. Doing nothing is not an option. A step-change
in business culture and employee behaviour is required. Anything less will simply not be
Information: A Priceless Resource
“Information is a priceless resource that must be
protected. There’s currently a massive gap between what businesses are currently doing to protect
themselves, and what they should be doing.”
PwC One Security Director