Recent research among mid-market businesses across Europe reveals a level of complacency around information risk that could have devastating consequences. In light of this, I am calling on organisations everywhere to commit to Corporate Information Responsibility.
I’m calling on organisations to adopt Corporate Information Responsibility, or the practice of understanding, valuing and protecting the information they hold. The benefits to a business include enhanced productivity and increased consumer trust. Remain complacent and organisations could suffer a loss of market share, delayed product development and an increased risk of data breaches that damage customer confidence and brand reputation.
To help firms adopt CIR, a group of leading information management experts and influencers, including PwC, IE Business School, IT consulting firm IPL, sustainability and corporate responsibility experts akzente and the Information and Records Management Society (IRMS), joined me to create a simple action plan for businesses.
1. Make information a boardroom issue
Ensure that senior management clearly understand the full impact of a data breach. Too often organisations only introduce protective measures in response to a breach.
- Action: Ensure information risk is regularly on the agenda at Board meetings.
2. Start with people
Engage your workforce. Understand how employees use information and help them learn how to protect it. Promote a culture of information responsibility, and empower employees to value information and keep it secure.
- Action: Ask employees to help create a list of golden rules for protecting information, and provide a confidential channel for them to express concerns or raise issues.
3. Be realistic
Resources are limited so make sure you get the basics right. It is not essential to invest significantly in IT to mitigate risk. Your biggest returns will come from better training and communication. Even a small step in the right direction is better than no action at all.
- Action: Take simple first steps. Secure your paper records in a locked room or consider outsourcing; keep your back-up tapes off site and encrypt where necessary.
4. Understand how your business operates
Look at how information is created, received, processed, stored and ultimately destroyed in your business. Who is responsible for it at any moment in time? How is it protected?
- Action: Set up a cross-departmental team to identify the journey of information from creation to secure destruction and highlight the main risks and vulnerabilities – ask the team to produce a report for the Board.
5. Understand what information you care about most
Not all information is of equal value; identify the information that could damage your organisation if lost or leaked.
- Action: Think through the repercussions of losing your information to understand where your risks lie and what the impact of a data breach might be.
6. Introduce a unified approach to on-going risk management
Include clear lines of accountability and responsibility, as well as centralised control to spot inter-dependencies and inter-departmental weak points.
- Action: Appoint someone to take overall responsibility for your information.
7. Create policies and procedures
Policies on their own are not enough; they need to be understood and implemented.
- Action: Introduce a reward and recognition programme for employees. Also consider getting a free gap analyses from vendors and refer to best-practice standards such as PCIDSS and ISO27001.
8. Get help
Information management is hard and getting harder as the volume and velocity of structured and unstructured information increases. There are resources out there that can help.
- Action: If you don’t have the skills in house, consider engaging with a professional organisation or outsourcer and see how they would handle your challenges.