• Home
• News
  • Business Continuity News
  • Regional news
  • Sector news
  • Events Diary
  • Newsletters
  • Newsfeed
• Jobs
• Topics
  • BC: Facilities & Buildings
  • BC: General
  • BC: Markets & Companies
  • BC: Plan Development
  • BC: Software
  • BC: Statistics
  • BC: Testing & Exercising
  • Crisis Comms & Management
  • Critical Infrastructure Protection
  • Disaster Recovery
  • Emergency Management
  • Enterprise Risk Management
  • Operational Risk Management
  • Pandemic Planning
  • PS Prep
  • Standards
  • Terrorism
• Technology
  • Cloud Computing
  • Data Center / Centre Issues
  • ICT Continuity
  • Information Security
  • Recovery Facilities
• Resources
  • Webinars
  • BC software directory
  • Newsfeed
  • Twitter
  • Advanced BC information
  • Advanced ICT information
  • Basic BC information
  • Basic ICT information
  • How to advertise
  • About us
  • Contact us
  • Privacy
• Newsletters
• Training

WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Information risk management lessons

By Christian Toon.

Naivety and misplaced trust are a dangerous combination in business. Nowhere is this more clearly seen than when it comes to managing information risk. A recent study[i] reveals that 87 percent of companies across Europe do not believe that their employees take information with them when they leave. For 81 percent this confidence stems from the introduction of robust measures that include asking employees to sign non-disclosure agreements, blocking access to company IT networks upon departure, ensuring data cannot be copied onto discs or USB keys, and escorting those in high risk positions from the building the moment they hand in their resignation. Well that’s all right then.

Except, three quarters of those surveyed never bother to check whether any of these measures actually prevent information being removed, and a different study[ii] – one that asked employees what they really do with information when they leave – paints a very different picture. Employees, it revealed, happily take highly confidential or sensitive documents and databases with them, and many believe they’re doing nothing wrong. 

Two thirds said they had taken or would take information they had been involved in creating, and 72 percent said they believed the information they took would be helpful in their new job. 

European office workers are also walking out the door with presentations (46 per cent of those who took information), company proposals (21 per cent), strategic plans (18 per cent) and product/service roadmaps (18 per cent). More worryingly, half (51 per cent) are helping themselves to confidential customer databases, despite data protection laws forbidding them to do so. If measures to block access to information kick in as soon as employees resign, then the chances are this material is disappearing just before they do so.

All this makes the confidence among employers look worryingly out of touch. Especially when you consider the value that information holds for the sectors covered by the research: financial services, legal, insurance, pharmaceuticals and manufacturing and engineering.

It is vitally important that employers understand this. Employers need to realise that managing the information risk of departing employees is not just about having an impressive process in place. It’s about making sure that it achieves its purpose.

In other words, locking an employee out of your company IT network on the day he or she resigns is well-intentioned but meaningless if the employee spent the previous week quietly printing off sensitive papers or emailing customer databases to their personal email account.

It’s not all bad news. Two thirds (67 percent) of employers appreciate that employees leaving for a new role represent a risk to information security. Most just feel they have done enough to address it. So what more can or should they be doing?
The answer lies in employee communication and education. It is important that employees understand what constitutes confidential information and what the legal and/or reputational implications of removing data might be.

The 2012 study discovered a direct correlation between employee behaviour and the existence and communication of corporate guidelines. For example, 80 percent of respondents from Germany understood what information could or could not be removed from the office, compared to a European average of 57 percent – and just a third had taken documents they had created with them when they left, against a European average of 56 percent). In other words, if employees know what is expected and why, they will often act accordingly.

For the most sensitive and confidential data, additional IT-enabled security measures can be implemented, such as preventing employees from saving such data locally on their PCs. Centrally stored data, such as patient records or research statistics can be made available on a read-only basis following a formal request. This is a practice already widely adopted in healthcare.

To keep data secure at all times and not just at the point of exit, employers need to build a culture of accountability, respect and trust for information – both on paper and digital – underpinned by strong security safeguards.

Most companies are doing something to mitigate information risk, but few are doing enough. The findings of the study at both mid-market and enterprise level show that, while many have the policies and processes in place in terms of strategy, people, communications and security, the majority have not followed through to implementation and monitoring.

Companies know what to do but do not ensure their plans succeed. Too few measure; too few educate. And too few communicate. This is true in Europe. And it’s true in North America. And if companies aren’t driving compliance or measuring effectiveness, then they don’t fully understand their exposure to risk and this makes them vulnerable to data breach and noncompliance.

The message is clear. When it comes to information management, more widely, businesses face the same problems everywhere. They operate in an information landscape that is defined by the increasing volume, variety and velocity of information moving through the business, and by a wide range of risks.

[i] Beyond Good Intentions: The need to move from intention to action to manage information risk, PwC for Iron Mountain, June 2014.  PwC surveyed senior managers in Germany, Hungary, the Netherlands, Spain, UK, the United States and Canada, with 250 or more employees, in the legal, financial services, pharmaceutical, insurance and manufacturing & engineering sectors.

[ii] Opinion Matters for Iron Mountain, June 2012.

The author
Christian Toon is head of information risk, Iron Mountain.

•Date: 16th July 2014 • World •Type: Article • Topic: ISM

Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.