Board must set cyber security agenda - ICAEW
If businesses do not take cyber security seriously in their business planning regulators may do it for them, the ICAEW has warned
IF BUSINESSES fail to take cyber security seriously in their business planning, regulators may do it for them the ICAEW has warned.
Richard Anning, head of ICAEW’s IT Faculty, said boards must grasp the nettle and deal with it as a priority: “Despite years of warnings, many still regard cyber security as an optional extra. This is why we are increasingly seeing more data breaches that harm consumers and businesses alike. Cyber security is integral to digital business.”
In ICAEWs latest report Audit Insights: Cyber Security, high profile data breaches and the slow pace of cyber security progress means unless boards take control of the agenda themselves, governments may decide to legislate.
Anning, continued: “Unless boards take control of these issues, it is only a matter of time before governments start to bring in tough new laws – this has already begun with the introduction of General Data Protection Regulation (GDPR). The boards can start by using cyber-by-design principles, so cyber security is seen as a precondition for trading at all.”
Audit Insights: Cyber Security is based on input from auditors from the top six audit firms. This fourth report focuses on why change here seems so difficult and highlights how organisations can get on top of their cyber risks.
Dynamic threats
The report focuses on themes such as seeing cyber risks as real and dynamic, as they are changing constantly as technology develops. It also focuses on taking behavioural change seriously as training needed to support cyber processes are not embedded. Businesses should link the cyber risks with their business objectives and have consequences if it is not complied with. Finally, that most organisations have a digital infrastructure but do not see cyber security as a precondition for operating.
Anning, concluded: “Cyber threats are constantly evolving and changing alongside technology, and it is unrealistic to expect businesses to be able to respond to each and every threat. But this is why it is absolutely vital to consider risks regularly as part of the board governance process.”
The full report can be downloaded from icaew.com/cyber
