To run a modern business successfully you must be able to manage cyber risks effectively. This is an increasingly challenging and resource-intensive task for organizations, but it’s not impossible. Create the right kind of corporate culture around security with well thought-out and communicated policies and you’re well on the way to minimizing risk by ensuring all staff know how to handle data correctly. Yet, according to our new Risk:Value report, only 56% of global organizations have a formal information security policy.

Clearly, this must change. With the EU General Data Protection Regulation (GDPR) set to land in May 2018, time is running out for organizations to develop, formalize and communicate effective policies, standards, and procedures to manage cyber risk. This affects all worldwide companies that process personal data on European Union citizens.

A world of risk

That figure of 56% is a slight increase on the 2015 figure of 52%, however still a long way from where it should be. We live in a world of elevated cyber risk. The past few months alone have witnessed a roll call of state-sponsored hacking incidents, financially motivated cybercrime and attention-grabbing hacktivism. The ease with which WannaCry ransomware ripped through organizations across the globe tells us that fundamental security best practice are still not being followed.

A key part of that best practice is to develop and enforce a comprehensive security policy. Yet many technology teams are stretched to the limit dealing with the sheer variety and volume of modern online threats. One day it could be commodity banking malware, the next a ransomware attempt and the following day a zero-day information stealing attempt by a nation state. Internal challenges are compounded by continuing skills shortages and a cybercrime underground growing every day in determination, sophistication, and financial resource.

Given the rapid development of the malicious actors and the challenges that bog down security program maturity, it is no surprise that over half of organizations, according to our report, claimed it was inevitable that they will suffer a data breach in the future.

Policy fail

With insider risk an increasingly important factor, information security policies and standards are vital to help ensure that staff treat data in a safe and compliant manner. Yet according to our findings, they are still too far down on the to-do list for organizations. Just over a quarter (27%) said they are only part of the way through implementing an official cybersecurity policy; a figure that hasn’t changed since 2015.

Developing a plan is one thing, but it’s virtually useless if not communicated effectively to employees. Respondents in the US (84%) and the UK (83%) outperformed the average (79%) in terms of organizations who claim to have communicated their security policies effectively to staff. But in reality, our research reveals that just 39% of employees are aware of their company’s information policy – so something is going wrong somewhere. It is also important to remember that posting policies in an obscure intranet page or simply emailing them is not enough.  Effectively communicating means working with stakeholders and ensuring buy-in from all business partners.

In many ways, it is illustrative of the fact that many boardrooms still do not take cybersecurity risk seriously enough. Just 56% of the companies surveyed in our research said attack prevention was a regular topic of discussion among their C-suite executives. With the GDPR on its way, in less than a year, there will soon be no room to hide for any CxOs running a business which doesn’t prioritize security. Fines of up to 4% of global annual turnover and mandatory 72-hour breach notification rules should focus board-level minds on the task at hand. And when they do, information security policies should be right up there at the top of the to-do list.

For more findings on the attitudes to risk and the value of information security to the business, download the NTT Security Risk:Value Report now: