Over half (51%) of businesses have suffered a cyber-attack in the last 12 months that has impacted products and services, according to new research out today. The report, Mind the Gap: Cybersecurity risk in the new normal, published by the Chartered IIA is based on research carried out during lockdown across all sectors, looking at cybersecurity risk.
Internal auditors report that the biggest barriers to implementing better cybersecurity practices during the pandemic are competing priorities (48%), employees working remotely (42%), and insufficient budget (28%). Cybercriminals are taking advantage here, increasing the speed and sophistication of cyber-attacks. With many organisations looking to make working remotely permanent, implementing a strong cybersecurity culture has never been more urgent.
The Chartered IIA’s research demonstrates a concerning gap between understanding the significance of a strong cybersecurity culture and achieving one. Almost all (91%), of internal auditors responding, state that implementing a stronger cybersecurity culture within their organisation would prevent attacks, and most (79%) reported having practices in place to promote effective cybersecurity culture, however only two thirds (65%) actually ensure employees at all levels are aware of their role in cybersecurity. This proves there is work to be done for internal auditors to ensure robust cybersecurity-aware cultures are established and operating effectively.
Key findings from the report include:
- A general awareness of the importance of employee participation, with the top three methods used to manage and mitigate cybersecurity risk being: securing infrastructure (46%), installing anti-virus protection software (29%), and employee training (27%).
- Only 33% assessed whether their organisation had invested in security training for employees adapting to the new remote working environment, lack of such training could then contribute to lapses in human defences during the pandemic.
- Limited commitment to developing a strong cybersecurity culture, with only 32% contributing to cybersecurity strategy/policy in their organisation, and only 31% report helping to create a culture to learn from mistakes.
- Almost two thirds (65%) reported that cybersecurity conversations had increased since the beginning of the pandemic.
The findings highlight the gap between awareness and action on the human layer of cybersecurity, which is of greater importance than ever due to the new working normal.
Vodafone and the NHS have each contributed best practice tips to the report:
John Wood, Chief Executive of the Chartered IIA, said:
“The perennial risk of the 21st century is cybersecurity, and this has been propelled to the forefront of most businesses’ minds over the last 12 months. The operational disruption and challenges that working from home has brought means it has never been more urgent for businesses to integrate an effective cybersecurity culture into their organisation.
This research published today by the Chartered IIA highlights the human element to cybersecurity. Employee compliance with protocols is key in preventing attacks, and internal audit has a vital role to play in promoting an effective cybersecurity culture in their organisations to mitigate the risk of human error. This report aims to educate, inform and guide internal audit’s thinking in this area.”
Cyber security risk has been highlighted as the number one risk in Chartered IIA’s Risk in Focus report for three consecutive years, with 79% of Chief Audit Executives identifying cyber security as the top risk to their organisation in 2020. According to the ICO, 90% of cyber security breaches in 2019 were caused by human error – this underlines the importance of developing a strong cybersecurity culture to prevent attacks.
Michael Townsend, Head of Internal Audit at London Audit (Barts Health NHS Trust):
“People issues, training and awareness raising are integral to effective cybersecurity protocols. The key is to continuously prioritise staff training, ensuring human defences are strong against potential attacks. Good communication is paramount; ensure you are consistently updating the intranet, including messages on payslips, emails and surveys to keep awareness and vigilance high among all employees.
Internal auditors need to be aware of the big picture. Technical controls can only go so far – they can be undone by an employee at a click of a button, so user awareness is key.”
Paul Holland, Global Head of Technology Audit at Vodafone Group plc said:
“Cybersecurity is one of the key risks for Vodafone, and managing this across a large international business using separate technologies presents a number of unique challenges. The internal audit team plays a key role in influencing the way cyber risks are understood and managed within the organisation.
We carry out specific ‘cyber audits’, as well as integrate ‘cyber risks’ within business process audits, to provide assurance over the effectiveness over the company’s defences against cyber criminals. We consistently analyse ways of working and proactively engage with stakeholders to drive a culture of trust and transparency in the area of cyber risk, throughout all of Vodafone.”