New research shows that organisations are still failing to prepare for cyber attacks, which could result in substantial fines from the government.
Almost a third (31 per cent) of organisations have been affected by cyber crime in the past 12 months, according to new research from business continuity expert Databarracks.
In light of this, the company suggests that organisations must look to invest in ongoing cyber awareness training, especially following the government鈥檚 proposed fines for firms who fall victim to cyber attacks.
As part of the Network and Information Systems (NIS) directive, which becomes law across the EU next May and is separate from the General Data Protection Regulation (GDPR), the government has warned that organisations could face fines of up to 拢17million or 4 per cent of global turnover if they fail to protect against hackers.
Findings from Databarracks’ seventh Data Health Check report, which surveyed over 400 IT decision makers in the UK about their IT security and continuity practices, shows:
- 41 per cent of organisations have not invested in any safeguards over the last 12 months;
- Only 34 per cent of organisations have invested in cyber awareness training;
- Only 11 per cent of organisations have certified to a cyber security framework.
Peter Groucutt, managing director at Databarracks, has outlined the importance of ongoing cyber awareness training for staff, as well as the need to ensure that firms are continuously communicating risks throughout the business.
鈥淥ngoing cyber awareness training is an integral element in an organisation鈥檚 defence against cyber attacks,鈥 he said.
鈥淗owever, our research indicates that this has not been a focal point for many organisations over the past 12 months. This is concerning, especially in light of the NIS directive, and therefore immediate action is needed to address it.鈥
For organisations who only carry out awareness training once a year – typically as part of an initial employee induction – Databarracks recommends increasing this to at least twice annually as well as providing employees with frequent security refreshers.
鈥淭he rate of change in cyber threats means that we all need to constantly adapt our methods of protection,鈥 says Groucutt.
鈥淚t鈥檚 no longer acceptable for cyber awareness training to be a five-minute warning given to new starters, the entire workforce needs to be informed and up to date on new threats.
鈥淎dditionally, this approach needs to be supported by the IT department who, when an incident occurs, needs to communicate this to the entire business, providing insight as to why an incident took place, what the implications were and, most importantly, what can be done to prevent this from happening again.
鈥淧rotecting your organisation from threats in not just about preventative technology, it鈥檚 also about building a culture of information security.
鈥淎n employee鈥檚 understanding of security is one of the most important and effective security measures that organisations should be investing in, not least because unwitting employees are often the unknowing accomplice within an attack.
鈥淲hile good security habits take time, effort and repetition, it鈥檚 better to invest in good practices now than pay the price later.鈥
The crackdown is aimed at making sure essential services such as water, energy, transport and health firms are safeguarded against hacking attempts.
According to the government, the fines will be a last resort and they will not apply to organisations who have put the appropriate safeguards in place but have still suffered a breach.