Auditors warn that businesses are falling still further behind the cyber attackers
According to a new study, UK businesses - are still not taking the threat of cyber crime seriously enough, with the attackers often winning. Such businesses include electrical sector firms – both large and small. James Hunt reports:
Around the world every day, thousands of IT systems are compromised by viruses, malware and hackers. There are various reasons for attack, but usually businesses are attacked to steal money or commercial secrets.
A new report, by ICAEW and entitled ‘Audit Insights: Cyber Security’, finds that businesses are not doing enough to combat cyber risks, and that this is despite an increased awareness of the need to take cyber security seriously. The study also finds that there is a growing gap between business and cyber attacker capabilities, with economic growth and new business activity continuously creating new cyber risks.
Just launched at The Parliament and the Internet Conference, this report is the second one sharing the collective insights of auditors from the six largest audit firms on how businesses deal with cyber threats. It highlights the fact that the nature of today’s businesses is often making it harder to protect themselves, whilst the agility of cyber attackers – meaning the risk of attack - is growing.
The protection of crucial information assets is of critical importance to the sustainability and competitiveness of modern businesses. Firms need to be fully prepared in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is.
The problems include the often-complex nature of the supply chains, the increased exploitation of digital channels and the disparate nature of data storage across servers, cloud storage and mobile devices. All of these elements provide potential access points for exploiters.
Commented Richard Anning, head of ICAEW’s IT Faculty: “Businesses are more aware of cyber risks than before and are working to mitigate threats, yet they are still falling further behind the cyber attackers. So businesses must now match their good intentions with action. They need to focus their finite resources in the right places to prevent the gap from widening further, balancing investment in preventative controls with investment in new skills and solutions.
He continued: “It is no longer about simply being compliant with data protection regulations. Without sufficient levels of cyber security hygiene, corporates and consumers will voice their opinion by taking their custom elsewhere.
“Businesses must demonstrate that they are ready to deal with cyber attacks by having a plan of action in place. This is particularly important for businesses hoping to enter a major supply chain or considering IPO, a merger or acquisition. It could also provide a competitive advantage against others in the market,” he said.
“The most important thing is still to get the basics right. Up to 80% of security breaches can be prevented by having basic cyber security hygiene in place. Everybody with access to any business critical data must be vigilant, as attacks often happen through the extended supply chain, through digital channels, or through staff. Therefore, cyber risks must be considered, and skills improved, across the entire business and the economy more broadly,” concluded Richard.
For Government too
Moreover, UK Government suppliers will also need to take such decisive action, because, since 1 October 2014, all suppliers bidding for certain sensitive and personal information handling contracts must be certified against the Cyber Essentials scheme, demonstrating that they take cyber risks seriously.
Recommended actions
‘Audit Insights: Cyber Security’ outlines several recommendations for actions to be taken by businesses and their boards. These are:
- Identify business-critical data and associated risks – even when there is no regulatory requirement to do so
- Continue to build knowledge on cyber risks, challenging the IT function to explain its security strategy and risk mitigation plans
- Design cyber security into all strategy and operations, considering it a business risk rather than a technical issue
- Pay more attention to the monitoring, detection and response to threats, not only focusing on prevention, so lessons can be learnt and breaches can be responded to speedily and openly
- Work with industry bodies and supply chain partners to share information on threats and attacks.
The report also suggests that policy-makers should increase support for businesses in building strong cyber security capabilities, focusing on providing training to smaller businesses.
The Audit Insights report is part of a wider initiative by ICAEW to demonstrate the value of audit. Previous reports have focused on the retail, manufacturing, banking and construction sectors. The six audit firms represented on the working party behind the Cyber Security report are BDO, Deloitte, EY, Grant Thornton, KPMG and PwC, which between them audit all the FTSE 350 companies.
End of Windows XP also a security issue
The ending of Windows XP support is also a security issue. Support for Microsoft’s 12-year old Windows XP officially ceased on April 8th 2014, so effectively, Windows no longer provides users with security updates or technical support for this operating system.
The discontinued support affects millions of users worldwide, including the many companies that have implemented Windows XP in industrial automation and other applications.
Read others news
