ICAEW’s latest report Audit Insights: Cyber Security, based on input from auditors from the top six audit firms, highlights that businesses are struggling to turn general awareness and concern about the growing impact of cybercrime into effective action.
ICAEW warns that governments and regulators are growing increasingly frustrated over the slow pace of change in business practices needed to deal with cyber risks and urges businesses to show more urgency and take control of their cyber agenda.
Richard Anning, head of ICAEW’s IT Faculty, said, “Nearly every business now operates in a digital environment, but despite years of warnings, many still regard cyber security as an optional extra.
Richard Anning, head of ICAEW’s IT Faculty
Cyber threats are constantly evolving and changing alongside technology
"This is why we are increasingly seeing more data breaches that harm consumers and businesses alike. The issue is a cultural one. Cyber security is as integral to digital business as walls are to a house, but it’s often not seen like that.”
The report outlines how organisations can get on top of their cyber risks.
It encourages businesses to view cyber risks as “real and dynamic” as, unlike most organisational risks, cyber risks are constantly evolving at a high pace and in an unexpected manner and attackers are always finding new ways to strike businesses.
“To improve their management of cyber risks, boards need to adopt an approach and mindset that is more fundamentally agile and business-centric,” the report said.
The report also suggests improving the quality of boards’ cyber security discussions.
ICAEW added that businesses need to take embedding the behavioural changes needed to support effective cyber processes seriously, claiming, “people are the weakest link in cyber security”.
The report suggests linking cyber risks with business objectives, tailoring their cyber security training and attaching more significant consequences when staff fail to comply with policies and expected behaviours in order to make changes stick.
“Leading businesses recognise that good cyber security behaviour is a matter of organisational culture, meaning that security is integral to the values and goals of the organisation, with strong leadership at the heart of this cyber security culture,” the report added.
Anning added that businesses should ensure the board is held to the same level of accountability as staff and therefore act as role models.
The report also encourages organisations to build in cyber security to their digital infrastructures from the start using cyber-by-design principles, so cyber security is seen as a precondition for trading and “good practices simply become part of the job”.
ICAEW warns that unless businesses step up their response capabilities to cybercrime and take control of these issues then more radical regulatory action is possible in order to drive quicker improvements.
“We can already see this starting to happen with the introduction of the General Data Protection Regulation (GDPR),” Anning added.
“Cyber threats are constantly evolving and changing alongside technology, and it is unrealistic to expect businesses to be able to respond to each and every threat.
"But this is why it is absolutely vital to consider risks regularly as part of the board governance process, rather than once a year with other more static risks, otherwise those threats will only be identified once it is too late.”