[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

Businesses lack information risk maturity, survey finds

Many businesses are woefully unprepared to address and manage information risks such as data breaches and data loss, according to a survey published today by Iron Mountain and PricewaterhouseCoopers.


In a report which includes Europe’s first Information risk maturity index, the company’s found that only around half of mid-sized business consider the loss of sensitive information as one of their top three business risks.

Less than a quarter (24%) of those surveyed were aware as to whether or not they had experienced a data breach in the last three years, while only 1% of respondents consider information risk to be the responsibility of every employee.

Nearly two-thirds (60%) admitted they do not know whether their employees have the right tools to protect information.

Marc Duale, president of international at Iron Mountain, said the report showed it was time for businesses to move from a culture of ‘information apathy and neglect’ to one of ‘information responsibility’.

‘Fail to act and you expose your customers to serious information risk while potentially leaving your company open to the risk of irreparable reputational damage,’ he added.

The survey is based on a survey by PwC of senior managers at 600 mid-sized (250-2,500 employees) businesses. Scores were assessed for the information risk maturity of businesses in France, Germany, Hungary, the Netherlands, Spain and the UK. The average score for businesses’ risk maturity was 40.6, against an ideal score of 100.

According to Iron Mountain, the survey revealed considerable inconsistency around who should be responsible for information risk. Just 13% of those surveyed saw it as a boardroom issue, while around a third saw it as the IT department’s responsibility.

Over half of respondents (59%) had responded to data breaches by installing additional technology, and only a third (36%) of companies had assigned responsibility for information risk to a specific team or individual, whose effectiveness was the monitored.

William Beer, a director in PwC’s UK cyber and information security practice, said: ‘Good information security requires three elements: people, processes and technology. Companies too often invest in technology to solve the perceived issue but technology is not the silver bullet.

‘Mid-sized companies that don’t necessarily have the financial resources, but do have the will and agility to change, can make a huge improvement by transforming the culture from the top, putting new procedures in place and educating their staff.’

To address the issue, Iron Mountain advised businesses to make information risk a boardroom matter, to change workplace culture so good behaviours are reinforced and rewarded, and to put the right policies and practices in place.

Please enter your comments below
Fill out the all the boxes and click the 'Submit comments' button to make a comment on this page
*Comments are added to the bottom of the page. They are moderated and will not be published until approved by The Actuary team. They may be edited.