Christian Toon
Christian Toon, Head of Information Risk, Iron Mountain Europe

As the fallout of the phone hacking scandal continues to dominate the news, it is easy to forget the raft of high-profile data breaches that had hi-jacked the headlines previously. Businesses are as vulnerable as individuals, if not more so. Whether it's paper documents in archive storage or digital data stored in the cloud, the information held by an organisation is a vital business asset, of interest to criminals or competitors who seek to profit from it or to basement hackers out to prove they can kick in the cyber back door and help themselves.

The Ministry of Defence admits that it investigates 100s of cyber-attacks on the department and with hackers such as the UK's 19-year-old Ryan Cleary who was charged for serious cyber-crime offences last year, it's becoming increasingly hard for organisations to know their enemy. Information security and data protection are no longer just about limiting the carelessness of employees to stop incidents like leaving a brief case full of company secrets in the bar or dropping a USB stick in a public car park - businesses are now dealing with a malicious threat from insiders and outsiders intent on doing harm. It is a trend that is on the rise.

If that wasn't enough food for thought for business leaders, the UK government is becoming increasingly stringent with organisations not taking appropriate measures to protect their data. There have been numerous major instances where the Information Commissioner's Office (ICO) has issued significant fines to organisations in breach of the Data Protection Act 1998. The ICO's powers signify a very real threat for organisations that fail to comply with the law. It's time for businesses to take a hard look at their data protection strategy to cover the on and off-site storage of both their digital and paper-based information so that company integrity and reputation are not compromised.

In order to be fully compliant with the government's information risk measures, organisations need to pay more attention to information management across the lifecycle, from creation or receipt to secure destruction by deletion or shredding. Businesses need to recognise the vulnerabilities and potential risks that can arise at each stage.

When assessing information risk, it is imperative to have policies and procedures that address the PICA values - Privacy, Integrity, Confidentiality and Availability considerations. For example, companies may have information on laptops that also exists in duplicate on a network drive or in a backup repository used by the PC. A company must consider who is accountable for this type of information, where it is used by several people or departments or stored in different places.

Once accountability and vulnerabilities are understood, it's vital that organisations introduce a full 'chain of custody' approach to information management. Chain of custody refers to the act, manner, handling, supervision and control of information. To achieve this, physical information could, for example, be tracked using bar codes, with regularly updated reports detailing where a document is at a given time.

The digital revolution has provided organisations with further challenges for information management and risk. With the volume of digital data received by an average business growing by 200 per cent per year, it is becoming increasingly difficult for businesses to monitor exactly where data is being stored and transferred. To tackle this problem, a sound approach to records management - including data entry, cataloguing, tracking, and retrieval and indexing systems - should be considered to ensure that sensitive digital data remains safe.

Once physical or digital information has become obsolete or can no longer be relied upon for its integrity, it must be appropriately destroyed. Employees need to be educated in the retention periods of different types of company data, and thought should be given to using a third party supplier to securely destroy information and provide a certificate of destruction.

Retaining both physical and digital information for longer than needed is common practice in many organisations, but this can have significant risk implications as the amount of information within a business increases.

If not managed or destroyed securely, sensitive data can escape an organisation through cyber attacks, espionage, theft or carelessness.

Security measures should also be considered to protect office premises. Increasingly, organisations are applying uniform and ID badge destruction policies to stop fraudsters having unauthorised entry to a company's premises and - by extension - access to its sensitive information.

Information is a key asset for any organisation. Failure to understand the risk implications of not managing data securely can have severe consequences for an organisation's reputation or even existence. Data protection is as much about a culture of awareness among staff as it is about corporate policy directives. To truly protect the organisation's critical data from malicious threats and to meet the ICO's guidelines, a continuous focus on culture, practice and control is imperative in a successful, secure data protection strategy.