Ensuring 'Business as Usual'

There are a number of steps businesses of all sizes can take to protect their information. Christian Toon, Head of Information Risk at Iron Mountain, provides some tips to ensure that the lifeblood of your business is managed in the best possible way.

1. Know where your information is

Understand exactly what information you have, how much of it exists and then categorise the types of information in use. Finally, ensure you can track information from its creation to its eventual deletion; recording where it is at any moment in time, with whom it is shared, and who is accountable for it.

2. Train and communicate procedures clearly

Be certain that employees handling data have received appropriate training and have a clear understanding of your company's security requirements. This should be backed up by clearly communicated procedures for data handling and storage.

3. Back up and encrypt

Regularly back up and encrypt all data. This also applies to information taken offsite, for example by employees working from home. The storage, archiving, management and retrieval of information should be secure; an approach that leaves boxes piled up in cupboards or under stairs does not meet these criteria.

4. Know the cost

Assuming your company manages its physical records in-house, identify how much this is costing. When you take into account requirements for physical space, the amount of staff time devoted to storage, management and retrieval, not to mention the cost of training your staff to handle information appropriately, the chances are that the total expenditure is significant and could be saved and re-invested elsewhere in the business.

5. Prepare for the unexpected

Ideally, data should be stored securely offsite where it is not vulnerable to accidental data breaches or unforeseen incidents such as fire, flood or theft. If kept on-site, you should regularly review physical security arrangements – something that can be particularly challenging in the absence of security or information management resources.

6. Shred and dispose

It is vital that once customer data is no longer required, it is irretrievably disposed of. The secure particle shredding of documents and discs is the best practice option and should become the standard across the business. This allows you to destroy information relevant to your business and security rating.

7. Foster the right culture

Ensure that employees at all levels are aware of the risks and repercussions of data breach. By doing this and implementing clear policies for how information is managed and handled, it is possible to foster a culture of information responsibility.

Instilling a culture of Corporate Information Responsibility (CIR) also requires the backing of senior-level executives. The drive and direction for responsible information handling must come from the very top of the business and be backed up by example. How information is managed has become a Board Room issue, not just in terms of developing and disseminating company-wide policies, but as an example of best practice in information handling and accountability that sets the tone for the whole business.

Data protection is a serious issue that requires significant commitment. The impact of not getting this right is only going to get worse as new EU data protection legislation promises to raise the stakes in terms of potential fines and brand damage from non-compliance.

If businesses fail to implement these steps, they are preparing to fail.

Christian Toon, Head of Information Risk, Global Security Services, Iron Mountain Europe.