New Iron Mountain survey reveals surprising lack of internal risk awareness 

Organisations throughout Europe are facing escalating threats due to a lack of risk awareness amongst employees, according to a new pan-EMEA study from Iron Mountain Incorporated (NYSE: IRM)[1]. As leadership teams worldwide focus on “future of work” strategic planning, the insights generated by this survey can help operations build long-term resilience in a hybrid working world.

According to the study, one in three employees (32%) claim to have made a “critical” error at work, and 14% have taken a risk which cost their organisation money.

Despite three quarters of employees believing risk management is vital to protecting sensitive information, half (49%) still consider it worth taking risks at work – men more so than women (54% vs 44%).

“We all make mistakes, so risk – by definition – is an ever-present factor in business,” says Sue Trombley, Managing Director of Thought Leadership, Iron Mountain. “But today’s increasingly digital age is seeing increasing risks, which means risk management must constantly evolve. With new business models, hybrid working and the growing threat of cyberattack, it’s now more important than ever to manage employees and internal risks effectively in order to build resilience by design.”

A quarter (25%) of respondents say they have fallen victim to scams or phishing. Despite this, however, Iron Mountain’s research shows that employees are continuing to take security risks:


  •   34% use the same password across multiple platforms
  •   27% forget to lock their laptop when leaving their desk
  •   18% keep their password on a note on their desk

Importantly, the risks are magnified by hybrid working, particularly when more than a third (36%) of employees admit to being less security conscious at home than at the office.


“We often display an optimism bias when it comes to risk perception where, even when we are aware risks exist – such as knowing we should not use the same password across multiple platforms,” says Dr Nilufar Ahmed, a behavioural psychologist at the University of Bristol. “We just don’t think anything bad will happen to us personally. We convince ourselves we are safe from risk. This leads to underestimating risk and overestimating the precautions we are taking to protect against risk.” 

At a time when the average cost of a data breach has reached $4.24 million[2], these trends underline the importance of effective workplace training, so every employee rethinks their role in managing risk.

However, the findings also raise questions about the impact of current awareness efforts. Whilst 66% of data managers surveyed said that risk training sessions are attended by 50-100% of employees, more than a third (36%) of workers said they have never received such training.

“An element of risk-taking can enable a business to innovate, but lack of awareness about potential everyday dangers can hinder long-term resilience,” adds Sue Trombley. “We advise empowering every employee to become a risk ambassador by embedding risk awareness within your culture.”

“Resilient systems can lead to greater resilience in staff which will result in happier and more confident staff and this will translate into greater productivity and profitability,” concludes Dr Nilufar Ahmed. 

To find out more about the survey results and join our virtual event where you can share your views on this debate, visit the website.