Board briefing: Cyber security
Cyber security has grown to become a key business risk. Forthcoming EU regulations – the Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR) – will place significant new obligations on UK organisations in this area.
Internal audit has a critical role to play in assuring that cyber security risk controls, policies, and procedures are fit for purpose and being implemented effectively at all levels, and that organisations are compliant with the new regulation.
- Cyber security starts with the board and senior management setting a clearly articulated strategy that supports and protects the organisation’s objectives.
- A strong cyber awareness culture is one of the best defences against cyber-attacks. Internal audit has a crucial role to play in ensuring that this culture is understood and ‘lived’ by staff at all levels.
- Forthcoming EU regulations will increase the burden on organisations to ensure they have effective cyber security strategies and culture in place, in addition to robust controls and policies to prevent and remediate attacks.
- The board and internal audit must work together to ensure that all of the organisation’s data assets, and the potential cyber threats that could jeopardise those assets, have been adequately mapped out. Cyber assurances agreed in the audit plan should reflect the organisation’s cyber risk appetite.