Companies are not recognising cyber security as a business risk, say their auditors in a new report from ICAEW. Audit Insights: Cyber Security focuses on the importance of closing the gap between cyber security strategy and business operations based on the observations and expertise of auditors from across industry.
The report highlights two main concerns identified by auditors: a disjoined approach to IT and business risk, as well as a lack of clear accountability at board level for cyber security. They also emphasise the importance, and difficulty, of gaining supply chain assurance.
Auditors recommend significantly improving communication between IT specialists, management, board members and throughout the organisation. A key element of this is the role of the chief information security officer (CISO), who should translate the technical language into a more business-orientated one.
Richard Anning, Head of IT Faculty at ICAEW said: ‘Auditors, after reviewing their clients approach to cyber security, believe that we can no longer brush it aside and treat it as a problem related to the IT function only. It is an issue that is critical to the operation, strategy and reputation of the entire business and that is how it should be treated. There have been many cyber security breaches in 2015 that have exposed weaknesses in IT systems and security practices. Recent high profile examples where customer details have been stolen include Ashley Madison and TalkTalk
‘Organisations need to define clear lines of responsibility and accountability as well as draw up response plans. Management and board members must communicate with IT professionals so they better understand the potential threats. This would enable them spot risks and raise issues early, before they lead to destructive consequences. They also need to be ready to respond if a major breach occurs.’
As more and more companies move their operations to the virtual world (e.g. banks closing their branches and focusing on online banking) it is increasingly vital for organisations to remain vigilant on emerging threats. The report notes that business can see security as a compliance exercise and become complacent on reviewing and improving measures.
Richard said: ‘As annual reports are increasingly focussing on non-financial information, boards are starting to ask auditors to review their cyber-security strategies and practices. This can give companies extra credibility, increasing investors’ confidence about the business. Most operations are now computerised, so it is no surprise shareholders want to ensure organisations can respond to emerging risks.
‘The key to success is understanding that in a digital world, cyber security is business security.’