Over half (51%) of businesses have suffered a cyber-attack in the last 12 months that has impacted products and services, according to new research out today. The report, Mind the Gap: Cybersecurity risk in the new normal, published by the Chartered IIA is based on research carried out during lockdown across all sectors, looking at cybersecurity risk.
Internal auditors report that the biggest barriers to implementing better cyber security practices during the pandemic are competing priorities (48%), employees working remotely (42%), and insufficient budget (28%). Cybercriminals are taking advantage here, increasing the speed and sophistication of cyber-attacks. With many organisations looking to make working remotely permanent, implementing a strong cyber security culture has never been more urgent.
The Chartered IIA’s research demonstrates a concerning gap between understanding the significance of a strong cyber security culture and achieving one. Almost all (91%), of internal auditors responding, state that implementing a stronger cyber security culture within their organisation would prevent attacks, and most (79%) reported having practices in place to promote effective cyber security culture, however only two thirds (65%) actually ensure employees at all levels are aware of their role in cyber security. This proves there is work to be done for internal auditors to ensure robust cyber security-aware cultures are established and operating effectively.
Key findings from the report include:
The findings highlight the gap between awareness and action on the human layer of cyber security, which is of greater importance than ever due to the new working normal.
Vodafone and the NHS have each contributed best practice tips to the report.
“The perennial risk of the 21st century is cyber security, and this has been propelled to the forefront of most businesses’ minds over the last 12 months. The operational disruption and challenges that working from home has brought means it has never been more urgent for businesses to integrate an effective cyber security culture into their organisation.
This research published today by the Chartered IIA highlights the human element to cyber security. Employee compliance with protocols is key in preventing attacks, and internal audit has a vital role to play in promoting an effective cyber security culture in their organisations to mitigate the risk of human error. This report aims to educate, inform and guide internal audit’s thinking in this area.”
Cyber security risk has been highlighted as the number one risk in Chartered IIA’s Risk in Focus report for three consecutive years, with 79% of Chief Audit Executives identifying cyber security as the top risk to their organisation in 2020. According to the ICO, 90% of cyber security breaches in 2019 were caused by human error - this underlines the importance of developing a strong cybersecurity culture to prevent attacks.
“People issues, training and awareness raising are integral to effective cyber security protocols. The key is to continuously prioritise staff training, ensuring human defences are strong against potential attacks. Good communication is paramount; ensure you are consistently updating the intranet, including messages on payslips, emails and surveys to keep awareness and vigilance high among all employees.
Internal auditors need to be aware of the big picture. Technical controls can only go so far - they can be undone by an employee at a click of a button, so user awareness is key.”
“Cyber security is one of the key risks for Vodafone, and managing this across a large international business using separate technologies presents a number of unique challenges. The internal audit team plays a key role in influencing the way cyber risks are understood and managed within the organisation.
We carry out specific ‘cyber audits’, as well as integrate ‘cyber risks’ within business process audits, to provide assurance over the effectiveness over the company’s defences against cyber criminals. We consistently analyse ways of working and proactively engage with stakeholders to drive a culture of trust and transparency in the area of cyber risk, throughout all of Vodafone.”
The full report is available here.