Businesses are not doing enough to combat cyber risks despite an increased awareness of the need to take cyber security seriously, warn auditors. The ICAEW report, Audit Insights: Cyber Security, says there is a growing gap between business and cyber attacker capabilities, with economic growth and new business activity continuously creating new cyber risks.
The Audit Insights: Cyber Security report, launched at The Parliament and the Internet Conference, is the second report sharing the collective insights of auditors from the six largest audit firms on how businesses deal with cyber threats. It highlights the fact that the nature of today's business structures is slowing their ability to protect themselves, whilst the agility of cyber attackers increases - meaning the risk of attack is growing. Among the challenges are the often complex nature of the supply chains, the increased exploitation of digital channels and the disparate nature of data storage across servers, cloud storage and mobile devices. Each of these elements providing access points for attackers to exploit.
Richard Anning, Head of ICAEW's IT Faculty, said: "Businesses are more aware of cyber risks than before and are working to mitigate threats, yet they are still falling further behind the cyber attackers. Businesses must now match their good intentions with action. They need to focus their finite resources in the right places to prevent the gap from widening further, balancing investment in preventative controls with investment in new skills and solutions.
"It is no longer about simply being compliant with data protection regulations. Without sufficient levels of cyber security hygiene corporates and consumers will voice their opinion by taking their custom elsewhere. Businesses must demonstrate that they are ready to deal with cyber attacks by having a plan of action in place. This is particularly important for businesses hoping to enter a major supply chain or considering IPO, a merger or acquisition. It could also provide a competitive advantage against others in the market."
It is not only commercial businesses that will be requiring this decisive action. Since 1 October 2014, the Government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, demonstrating they take cyber risks seriously.
The report outlines several recommendations for actions to be taken by businesses and their boards:
- Identify business-critical data and associated risks - even when there is no regulatory requirement to do so
- Continue to build knowledge on cyber risks, challenging the IT function to explain its security strategy and risk mitigation plans
- Design cyber security into all strategy and operations, considering it a business risk rather than a technical issue
- Pay more attention to the monitoring, detection and response to threats, not only focusing on prevention, so lessons can be learnt and breaches can be responded to speedily and openly
- Work with industry bodies and supply chain partners to share information on threats and attacks
The report also suggests that policy-makers should increase support for businesses in building strong cyber security capabilities, focusing on providing training to smaller businesses.
"The most important thing is still to get the basics right. Up to 80% of security breaches can be prevented by having basic cyber security hygiene in place. Everybody with access to any business critical data must be vigilant, as attacks often happen through the extended supply chain, through digital channels, or through staff. Therefore, cyber risks must be considered, and skills improved, across the entire business and the economy more broadly," said Richard.
The Audit Insights report is part of a wider initiative by ICAEW to demonstrate the value of audit. Previous reports have focused on the retail, manufacturing, banking and construction sectors. The six audit firms represented on the working party behind the Cyber Security report are BDO, Deloitte, EY, Grant Thornton, KPMG and PwC, which between them audit all the FTSE 350 companies.