Businesses are not doing enough to combat cyber risks despite an increased awareness of the need to take cyber security seriously, warn auditors.
The ICAEW report, Audit Insights: Cyber Security, says there is a growing gap between business and cyber attacker capabilities, with economic growth and new business activity continuously creating new cyber risks.
The Audit Insights: Cyber Security report is the second report sharing the collective insights of auditors from the six largest audit firms on how businesses deal with cyber threats. It highlights the fact that the nature of today’s business structures is slowing their ability to protect themselves, whilst the agility of cyber attackers increases – meaning the risk of attack is growing.
Among the challenges are the often complex nature of the supply chains, the increased exploitation of digital channels and the disparate nature of data storage across servers, cloud storage and mobile devices. Each of these elements providing access points for attackers to exploit.
“Businesses are more aware of cyber risks than before and are working to mitigate threats, yet they are still falling further behind the cyber attackers,” Richard Anning, Head of ICAEW’s IT Faculty. “Businesses must now match their good intentions with action. They need to focus their finite resources in the right places to prevent the gap from widening further, balancing investment in preventative controls with investment in new skills and solutions.
“It is no longer about simply being compliant with data protection regulations. Without sufficient levels of cyber security hygiene corporates and consumers will voice their opinion by taking their custom elsewhere. Businesses must demonstrate that they are ready to deal with cyber attacks by having a plan of action in place. This is particularly important for businesses hoping to enter a major supply chain or considering IPO, a merger or acquisition. It could also provide a competitive advantage against others in the market.”
The report outlines several recommendations for actions to be taken by businesses and their boards:
- Identify business-critical data and associated risks – even when there is no regulatory requirement to do so
- Continue to build knowledge on cyber risks, challenging the IT function to explain its security strategy and risk mitigation plans
- Design cyber security into all strategy and operations, considering it a business risk rather than a technical issue
- Pay more attention to the monitoring, detection and response to threats, not only focusing on prevention, so lessons can be learnt and breaches can be responded to speedily and openly
- Work with industry bodies and supply chain partners to share information on threats and attacks
The report also suggests that policy-makers should support businesses in building strong cyber security capabilities, focusing on providing training to smaller businesses.
“The most important thing is still to get the basics right. Up to 80% of security breaches can be prevented by having basic cyber security hygiene in place. Everybody with access to any business critical data must be vigilant, as attacks often happen through the extended supply chain, through digital channels, or through staff. Therefore, cyber risks must be considered, and skills improved, across the entire business and the economy more broadly,” said Richard.
The six audit firms represented on the working party behind the Cyber Security report are BDO, Deloitte, EY, Grant Thornton, KPMG and PwC, which between them audit all the FTSE 350 companies.