Iron Mountain: Confidential information at greatest risk in new businesses
January 2017 by Iron Mountain
11th February Businesses under five years old are twice as likely to compromise the confidentiality of sensitive information than more established businesses. This is one of the findings of recent research into information management and security practices in the mid-market, commissioned by leading storage and information management services company Iron Mountain.
The in-depth study of mid-market businesses across Europe and North America found that staff at recently established organisations expose their businesses to information risk because they are less careful with critical business data. Nearly half (48%) of those surveyed admitted they had left sensitive documents lying about the office, had mislaid them completely or had lost them in a public place. This is twice as many as staff at more established firms, where fewer than one in four (23%) had made similar information management mishaps.
Younger businesses are considerably less clear on how long they are legally required to retain documents such as tax records, contracts and customer data, making these organisations more likely to put the safety of this information at risk. For example, more than half (59%) of business professionals at companies between one and five years old admitted they could be keeping sensitive human resource records beyond their retention deadline, exposing the business to the threat of reputational damage and fines from information regulators. This is compared with just 20% at firms with more than 25 years in business.
Yet young firms are doing little to address the situation, preferring instead to prioritise expansion into new markets (80%) or product development (54%). The majority (76%), for example, have no plans in place to automate key information management processes such as HR. They are also less adept than older firms at managing data protection procedures or extracting value from their information. When asked about their processes for regulatory compliance in data handling, just a third (32%) of respondents at firms under five years old said their processes are "relevant and easy to comply with". By comparison, 46% of respondents at firms aged 25 years and over said the same. Similarly, just over a quarter (28%) of those at younger firms said they have effective processes in place to monitor where their information is most valuable, compared to two fifths (40%) of respondents at older businesses.
Elizabeth Bramwell, director at Iron Mountain said, "The first five years of a business’s life are often dedicated to rapid growth as the organisation establishes itself in the market. The start-up phase is a busy one, so it’s perhaps understandable that information management mistakes are more likely to happen during this time. However, whether you’re a new or an established business the law is the law, so it’s vital that confidential information is protected. If bad information habits are left unchecked and effective processes aren’t put in place, young businesses face severe legal and reputational consequences that could fast erode customer confidence and threaten the very survival of the business."
Previous research from Iron Mountain and PWC[i] suggests that many mid-market companies experience an ’information epiphany’ when the products or services with which they launched the business start to approach their end-of-life, which normally happens around the five to seven years stage.[ii] According to this research, over a third (38 per cent) of younger firms don’t know how information flows through the business, compared to 22 per cent of those aged six and over. To take a more mature approach to handling and harnessing the value of information, young businesses need to put effective information management processes in place from the start, which can then become part of their company culture as they grow.