Cyber security is critical business risk, says ICAEW

According to research from The Institute of Chartered Accountants in England and Wales (ICAEW), company auditors are reporting that companies still do not recognise cyber security as a risk to their business.

The ICAEW report 'Audit Insights: Cyber Security' uses observations and the expertise of auditors from across the spectrum of industry to highlight the need to close the gap between business operations and cyber security strategy.

Two main concerns

The ICAEW's research identified two main concerns that were raised by auditors who took part in the study.

These factors were a perceived lack of clear board level accountability for cyber security along with a disjointed approach to IT and business risk. Other concerns included the importance of supply chain assurance and the difficulties in attaining it.

Extra credibility

Head of IT faculty at ICAEW Richard Anning commented: "Auditors, after reviewing their clients’ approach to cyber security, believe that we can no longer brush it aside and treat it as a problem related to the IT function only."

"As annual reports are increasingly focusing on non-financial information, boards are starting to ask auditors to review their cyber-security strategies and practices. This can give companies extra credibility, increasing investors’ confidence about the business," Anning explained.

The report makes the point that security can be seen as a compliance exercise by businesses, and this leads to complacency when measures need to be reviewed and improved.

Recommendations include improving lines of communication between IT workers, management and board members by enhancing the role of the chief information security officer (CISO).