Irish businesses have been criticized for their IT security standards after it was revealed that a significant majority are not currently meeting the legal requirements, reports the Irish Times.

According to a new survey of 200 Irish companies, conducted by Red C for A&L Goodbody, around 65 percent do not have any written cybersecurity policy in place, while 59 percent have provided no training to employees on what to do in the event of a cyberattack. Half of the businesses in the survey sample said their data is stored by a third party off-site, but 44 per cent of those said they didn’t know their supplier’s policy in the event of a cyberattack.

Worryingly, 28 percent of company boards had not even considered the possibility of an attack on its IT systems, while around 25 percent had not been briefed on their businesses’ legal obligations and the mechanisms that were in place

The Irish Independent notes that these companies' failure to meet the basic legal requirements for cybersecurity could leave them open to legal action and potentially landed with fines.

A&L Goodbody’s head of international technology practice, John Whelan, reiterated the importance of companies having policies in place to protect against cyberattacks.

“As cyber risk becomes more sophisticated, and more prevalent, businesses are exposed to increasing risk to their reputation and their bottom line,” said Whelan. “Twelve months ago there was a lack of awareness among companies [on the subject of internet security]. Now there is a lack of preparedness. The law isn’t clear to people.”

Earlier this year, the Irish government's Freedom of Information website was attacked by a hacking group claiming to have ties to the ISIS terror group. The incident was one in a string of similar hacks being investigated by the FBI, which said it does not believe the connection to ISIS is genuine.