AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Over half of businesses suffered a cyber attack within the last twelve months

Over half (51%) of businesses have suffered a cyber-attack in the last 12 months that has impacted products and services, according to new research out today. The report, Mind the Gap: Cybersecurity risk in the new normal, published by the Chartered IIA is based on research carried out during lockdown across all sectors, looking at cybersecurity risk.

Internal auditors report that the biggest barriers to implementing better cyber security practices during the pandemic are competing priorities (48%), employees working remotely (42%), and insufficient budget (28%). Cybercriminals are taking advantage here, increasing the speed and sophistication of cyber-attacks. With many organisations looking to make working remotely permanent, implementing a strong cyber security culture has never been more urgent.

The Chartered IIA’s research demonstrates a concerning gap between understanding the significance of a strong cyber security culture and achieving one. Almost all (91%), of internal auditors responding, state that implementing a stronger cyber security culture within their organisation would prevent attacks, and most (79%) reported having practices in place to promote effective cyber security culture, however only two thirds (65%) actually ensure employees at all levels are aware of their role in cyber security. This proves there is work to be done for internal auditors to ensure robust cyber security-aware cultures are established and operating effectively. 

Key findings from the report include:

  • A general awareness of the importance of employee participation, with the top three methods used to manage and mitigate cyber security risk being: securing infrastructure (46%), installing anti-virus protection software (29%), and employee training (27%).
  • Only 33% assessed whether their organisation had invested in security training for employees adapting to the new remote working environment, lack of such training could then contribute to lapses in human defences during the pandemic.
  • Limited commitment to developing a strong cyber security culture, with only 32% contributing to cyber security strategy/policy in their organisation, and only 31% report helping to create a culture to learn from mistakes.
  • Almost two thirds (65%) reported that cyber security conversations had increased since the beginning of the pandemic.

The findings highlight the gap between awareness and action on the human layer of cyber security, which is of greater importance than ever due to the new working normal.

Vodafone and the NHS have each contributed best practice tips to the report.

John Wood, Chief Executive of the Chartered IIA, said:

“The perennial risk of the 21st century is cyber security, and this has been propelled to the forefront of most businesses’ minds over the last 12 months. The operational disruption and challenges that working from home has brought means it has never been more urgent for businesses to integrate an effective cyber security culture into their organisation.

This research published today by the Chartered IIA highlights the human element to cyber security. Employee compliance with protocols is key in preventing attacks, and internal audit has a vital role to play in promoting an effective cyber security culture in their organisations to mitigate the risk of human error. This report aims to educate, inform and guide internal audit’s thinking in this area.”

Cyber security risk has been highlighted as the number one risk in Chartered IIA’s Risk in Focus report for three consecutive years, with 79% of Chief Audit Executives identifying cyber security as the top risk to their organisation in 2020. According to the ICO, 90% of cyber security breaches in 2019 were caused by human error - this underlines the importance of developing a strong cybersecurity culture to prevent attacks.

Michael Townsend, Head of Internal Audit at London Audit (Barts Health NHS Trust):

“People issues, training and awareness raising are integral to effective cyber security protocols. The key is to continuously prioritise staff training, ensuring human defences are strong against potential attacks. Good communication is paramount; ensure you are consistently updating the intranet, including messages on payslips, emails and surveys to keep awareness and vigilance high among all employees.

Internal auditors need to be aware of the big picture. Technical controls can only go so far - they can be undone by an employee at a click of a button, so user awareness is key.”

Paul Holland, Global Head of Technology Audit at Vodafone Group plc said:

“Cyber security is one of the key risks for Vodafone, and managing this across a large international business using separate technologies presents a number of unique challenges. The internal audit team plays a key role in influencing the way cyber risks are understood and managed within the organisation.

We carry out specific ‘cyber audits’, as well as integrate ‘cyber risks’ within business process audits, to provide assurance over the effectiveness over the company’s defences against cyber criminals. We consistently analyse ways of working and proactively engage with stakeholders to drive a culture of trust and transparency in the area of cyber risk, throughout all of Vodafone.”

The full report is available here.

Notes to editors

  1. The Chartered IIA represents over 10,000 internal audit professionals in organisations spanning all sectors of the economy, across the UK and Ireland. It champions the contribution internal audit makes to good corporate governance, strong risk management and a rigorous control environment leading to the long-term success of organisations, including those in the public sector.
  2. For further information about the report, please contact Sophie Stileman of Atlas Patners. You can reach her on email at or via mobile on 07715 888 164