Organisations, and in particular small and medium-sized enterprises, are lagging behind in implementing digital security risk management practices
Organisations are increasingly adopting a risk-based approach to security. However, the share of organisations with effective risk management approaches to security still remains much too low. The proportion of businesses that have a formal digital security plan also varies widely across countries and by firm size. Results from the Eurostat Community Survey on ICT usage and e-commerce in enterprises indicate that SMEs were less likely to have a formally defined ICT security policy across all reporting EU countries in 2015. In almost all countries, the differential between SMEs and large enterprises was approximately 30 percentage points. Across the surveys that asked respondents about the biggest obstacles to more effective digital risk management practices, the highest rated obstacle was consistently related to insufficient budget. A lack of qualified personnel also figured prominently.