Organisations need to consider the responsibility of information risk outside of the IT department.
According to information risk management company Iron Mountain, medium-sized enterprises (with 250-2,500 employees) need to change the way they manage information risk and take greater corporate responsibility.
Speaking to SC Magazine, Christian Toon, head of information security at Iron Mountain, said corporate responsibility for IT should not just sit with IT and the focus needs to be wider.
He said: “It needs to be in the boardroom and organisations need to discuss this. They need to have the right individual responsibility and accessibility in place, and take the issue of risk out of IT.”
An Iron Mountain and PwC report released today highlights an urgent need for a change in employee behaviour and a cultural shift among senior executives if organisations are to overcome the complacency, negligence and lack of shared responsibility uncovered by the study.
It found that only one per cent of respondents consider information risk to be the responsibility of every employee. The survey of 600 C-level executives at European businesses found that 99 per cent believe it is "someone else's problem", according to Toon. He added that that there should be a call to action for everyone in an organisation to become responsible for information security.
The report also found that only 13 per cent of respondents consider information risk to be a boardroom issue, while more than a third (35 per cent) view all information risk, whether related to paper or digital information, as the responsibility of the IT department.
It also found that 76 per cent of businesses were unaware as to whether they had experienced a data breach in the past three years, while 59 per cent responded to a data breach by installing additional technology.
The 2012 Verizon data breach investigations report, released yesterday, revealed that 38 per cent of respondents were aware of data exfiltration in minutes, while 25 per cent were aware of it within days.
Toon said: “A quarter of businesses were unable to give an answer to whether they were experiencing a data breach or not. With the proposed changes to the European Data Protection Directive, businesses will have to report data breaches within 24 hours.
“Businesses are changing solutions depending on market needs, but they need a risk-based approach. Securing the digital fortress is not enough and perhaps physical access needs to be addressed.”
Iron Mountain has unveiled an "Information Risk Maturity Index", which makes three recommendations: make information risk a boardroom issue; change the workplace culture; and put the right policies and processes in place.
William Beer, a director in PwC's UK cyber and information security practice, said: “Good information security requires three elements: people, processes and technology. Companies too often invest in technology to solve the perceived issue, but technology is not the silver bullet.
“Mid-sized companies that don't necessarily have the financial resources, but do have the will and agility to change, can make a huge improvement by transforming the culture from the top, putting new procedures in place and educating their staff.”