13 Oct 2016 04:30pm

Businesses need to step up fight against cyber crime, ICAEW warns

High profile data breaches and the slow pace of cyber security progress means governments could decide to step in and introduce tough laws, unless businesses show they are taking cyber security seriously, ICAEW has warned
Caption: ICAEW warns businesses need to take cyber security more seriously

ICAEW’s latest report Audit Insights: Cyber Security, based on input from auditors from the top six audit firms, highlights that businesses are struggling to turn general awareness and concern about the growing impact of cybercrime into effective action.

ICAEW warns that governments and regulators are growing increasingly frustrated over the slow pace of change in business practices needed to deal with cyber risks and urges businesses to show more urgency and take control of their cyber agenda.

Richard Anning, head of ICAEW’s IT Faculty, said, “Nearly every business now operates in a digital environment, but despite years of warnings, many still regard cyber security as an optional extra.

Cyber threats are constantly evolving and changing alongside technology

Richard Anning, head of ICAEW’s IT Faculty

"This is why we are increasingly seeing more data breaches that harm consumers and businesses alike. The issue is a cultural one. Cyber security is as integral to digital business as walls are to a house, but it’s often not seen like that.”

The report outlines how organisations can get on top of their cyber risks.

It encourages businesses to view cyber risks as “real and dynamic” as, unlike most organisational risks, cyber risks are constantly evolving at a high pace and in an unexpected manner and attackers are always finding new ways to strike businesses.

“To improve their management of cyber risks, boards need to adopt an approach and mindset that is more fundamentally agile and business-centric,” the report said.

The report also suggests improving the quality of boards’ cyber security discussions.

ICAEW added that businesses need to take embedding the behavioural changes needed to support effective cyber processes seriously, claiming, “people are the weakest link in cyber security”.

The report suggests linking cyber risks with business objectives, tailoring their cyber security training and attaching more significant consequences when staff fail to comply with policies and expected behaviours in order to make changes stick.

“Leading businesses recognise that good cyber security behaviour is a matter of organisational culture, meaning that security is integral to the values and goals of the organisation, with strong leadership at the heart of this cyber security culture,” the report added.

Anning added that businesses should ensure the board is held to the same level of accountability as staff and therefore act as role models.

The report also encourages organisations to build in cyber security to their digital infrastructures from the start using cyber-by-design principles, so cyber security is seen as a precondition for trading and “good practices simply become part of the job”.

ICAEW warns that unless businesses step up their response capabilities to cybercrime and take control of these issues then more radical regulatory action is possible in order to drive quicker improvements.

“We can already see this starting to happen with the introduction of the General Data Protection Regulation (GDPR),” Anning added.

“Cyber threats are constantly evolving and changing alongside technology, and it is unrealistic to expect businesses to be able to respond to each and every threat.

"But this is why it is absolutely vital to consider risks regularly as part of the board governance process, rather than once a year with other more static risks, otherwise those threats will only be identified once it is too late.”

Sinead Moore


Related articles

Nearly six million cyber crimes committed last year, ONS says

Vast majority of SMEs "vulnerable to cyber attacks and IT threats"

TalkTalk hit with record fine over cyber attack

PwC joins GCHQ to fight cyber attacks