09/07/2013 10:19 BST | Updated 08/09/2013 06:12 BST

The Hypocrisy Behind the Data Breach


If there's one thing the public hates, it is hypocrisy. From adults behaving badly when we're children to lying politicians and cheating celebrities, it's the one thing guaranteed to invoke the sting of injustice in everyone. So it's no surprise that the most shocking finding from our recent report into the state of information risk within European businesses was one that exposed the hypocrisy of the companies that hold one of our most precious assets - our data.

This year was the second year Iron Mountain commissioned PwC to develop a Risk Maturity Index report that measures how prepared European mid-tier companies are to manage and respond to information risk.

This year's survey revealed a culture of hypocrisy and double standards when it comes to approaching data protection good practices. While more than half (58 per cent) of European mid-sized firms say they would refuse to do business with a company that had suffered a data breach, 41 per cent believe data loss is just an inevitable part of daily business. Those businesses that pride themselves in avoiding the tarnish that others' data breaches might bring are, on the other hand, not prepared to hold themselves to account for the same lapse.

When we entrust a company with our data, whether it's our personal details, credit card numbers or opinions and feedback on a product or service, we give up this information with the expectation that it will be as kept as secure as we would keep it. While the UK performed better than in last year's Index; a score of 55.4 compared to 36.0 in 2012. When considering that this is out of a possible score of 100, it is evident that there is still a long way to go until we can be sure that the companies we have to place our trust in know what they're doing with our data and keep it secure.

Inconsistencies abound. 25 per cent of businesses consider employees to be a serious threat to information security, yet 82 per cent willingly trust their employees to follow their information risk policy (if they have one). This suggests a culture of passing responsibility when it comes to protecting data - one business expecting another to take care of it, the board simply expecting employees to comply, and everyone else passing it off as an IT issue despite 53 per cent citing the IT department as the weakest link data security.

When you take the time to think about all the information held by all the companies you've ever done business with, in either your professional or personal life, it is frightening to think that at any moment it could be put at risk. But it is in fact the consumer who should be able to wield the most power when it comes to compelling businesses to take greater responsibility for information security.

Paradoxically, despite the high level of complacency, when asked what the biggest asset a business has to lose from a data breach, 60 per cent fear loss of customer loyalty over any other potential consequence. Brand reputation follows close behind with loss of sales and revenue coming in third. Considering the importance of customer trust and loyalty, businesses need to prove their commitment by formally putting in place guidelines and practices to ensure they avoid letting their customers down. They need to remember that if they don't want to work with a business that has had a data breach, we won't want to either.