The handling of paper documents is the single greatest threat to information security, according to a recent study by storage and information management company Iron Mountain and PwC. Two thirds (66 percent) of mid-sized companies in the UK regard the management of information on paper as a serious security risks – more than double the number that fear external threats to digital content such as hacking and malware.
The study reveals that many organisations are not coping effectively with paper. 39 percent of those surveyed have monitored policies in place that guide employees in the storage and disposition of digital records, but just 31 percent have the same for paper documents. Only 39 percent have monitored access restrictions to areas where confidential information is stored.
Featured Download: Social media access at work. Do your employees know the rules?
Over three quarters (85 percent) of firms rely on one person or team to manage both paper and digital information risk – although the study found that top performers in risk management invariably have distinct groups looking after paper and digital information.
Most organisations think IT security managers should have a responsibility for information risk (73 percent) with many (42 percent) believing that IT security managers should be ultimately accountable. In the UK, just 3 percent believe that the records manager should hold some responsibility.
The study suggests that the paper security challenges organisations face include the widespread existence of legacy archives, uncertainty about retention rules – with many companies retaining all records just in case – and an increased focus on digital transformation.
This complements the findings of another Iron Mountain study which found that two-thirds of firms in the UK (63 percent) find it hard to integrate paper into automated customer management processes.
Sue Trombley, Managing Director of Professional Services at Iron Mountain, said: “All information is vulnerable in some way, but paper and digital records carry different risks that firms need to understand and govern appropriately. In the absence of proper controls and policies, paper can be photocopied – not just once, but many times. It is easily shared and removed and can be left lying around, filed randomly, or disposed of in any bin. Organisations need to introduce and monitor effective processes and responsibilities for keeping paper documents safe. While we may never be completely free of paper, we can significantly reduce its associated risk by raising awareness, providing practical processes, and monitoring compliance.”
Iron Mountain recommends that companies follow these three simple steps:
1. Make the most of widely available and affordable eLearning courses and tools to reach all employees in all locations with the same message – and expectations – for managing information.
2. If organisations haven’t already thought about imaging their paper records, it’s worth taking a look at document processes and seeing what might be right for scanning, such as documents required immediately or regularly. The original paper documents can then be destroyed or archived securely depending on relevant retention guidelines.
3. An annual clean-up day can go a long way toward putting the focus on the control of paper records and deciding how to get paper records out of the office environment. With proper guidance, employees can help determine whether to destroy records or send them to a secure off-site storage facility.
The full report Beyond Good Intentions: The need to move from intention to action to manage information risk can be found here.
The 2014 Information Risk Maturity Index is the third annual study to measure how prepared companies are to manage and respond to information risk and address other key information trends. PwC surveyed senior managers at 600 European and 600 North American businesses with 250 to 2500 employees and a further 600 firms across both continents with up to 100,000 employees in the legal, financial services, pharmaceutical, insurance and manufacturing and engineering sectors.
About Iron Mountain
Iron Mountain Incorporated (NYSE: IRM) is a leading provider of storage and information management solutions. The company’s real estate network of 64 million square feet across more than 1,000 facilities in 36 countries allows it to serve customers around the world. And its solutions for records management, data backup and recovery, document management and secure shredding help organisations to lower storage costs, comply with regulations, recover from disaster, and better use their information for business advantage. Founded in 1951, Iron Mountain stores and protects billions of information assets, including business documents, backup tapes, electronic files and medical data. Visit www.ironmountain.co.uk for more information.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.