Ms Treacy tells us that it unsurprising that 61% of businesses view cyber security as an important issue.
What is surprising, both to Ms Treacy and to me, is that viewing security seriously and doing something about risk are two very different things. Specifically, the report notes that:
- only 37% have segregated wireless networks, or any rules around the encryption of personal data;
- 33% have a formal policy that covers cyber security risks, and only 32% document these risks in business continuity plans, internal audits or risk registers;
- 29% have made specific board members responsible for cyber security;
- a mere 20% have required staff to attend cyber security training in the last twelve months, with non-specialist staff being particularly unlikely to have attended;
- although 19% of businesses are worried about their suppliers’ cyber security, only 13% require suppliers to adhere to specific cuber security standards or good practice; and
- only 11% have a cyber security incident management plan in place.
Ms Treacy, writing in a personal capacity, ends her article by commenting that “These are worrying conclusions for all of us who regularly entrust our personal data to UK companies for processing.”