The ICAEW is a professional membership organization with more than 140,000 chartered accountant members around the world. A new report published today, 'Audit Insights, Cyber Security', shares for the first time the insights and experience garnered by its members' wealth of practice in company audits – with specific reference to cybersecurity. It concludes, very clearly, exactly what the security industry has been warning: hacks happen and can't be wholly prevented. The best solution is to take a risk management approach, and put extra effort into protecting the most important information assets.
The report actually goes a bit further. Since companies must assume that their systems will be compromised, a new mindset should be adopted. "For example," it says, "some degree of security breach has to be tolerated as an unavoidable part of doing business in a digital world. Businesses increasingly need to promote operational resilience and prioritize activities which deal with breaches, such as intelligence and monitoring, detection and response."
This doesn't mean that 'defense' should be completely abandoned in favor of 'response', but that companies need to prioritize their defense. They should "focus their resources on their ‘crown jewels’. This enables a more sophisticated risk-based approach to security which balances the benefits and costs of security measures, and identifies where security breaches would have a substantial impact on the competitiveness and sustainability of the business."
Launching the report, Claire Reid, IT audit partner at PwC and ICAEW Audit Insights working group member, explained, “Businesses need to expand the focus of their security activities in response to the changing environment. This report outlines a number of recommendations for boards to review their cyber strategy and improve security practices."
She also outlined one of the dangers in failing to achieve this. "Furthermore," she added, "governments are increasingly interested in the ability of businesses to protect themselves and their wider supply chains against cyber-attacks. Given the importance of the growing digital economy, the impact of continuing security failures on individual businesses may be significant. Government interest in this area is likely to grow, especially if breaches and losses continue to rise.”
The danger inherent in increasing government intervention is described within the report. "Effective regulation is challenging, given the speed of technological and business change, and there are inherent risks of unintended consequences around greater regulatory activity." The best defense against increasing unintended consequences is for business to improve its security without requiring that regulatory intervention.
But the scale of the problem facing business is also highlighted by the report, with companies failing to to get the basics right. "While management usually have good intentions to make improvements, this is rarely translated into effective action." ICAEW suggests that for large companies the primary problem is the sheer size and complexity of the IT installations; while for smaller companies it is "a lack of skills, resources and prioritization."
The main solution, says ICAEW, is another change of mindset. Cybersecurity must change from being a technical issue to a business strategy. "In order to manage cyber risks effectively, businesses need to approach them as an integral part of business strategy and operations, not as a technical or specialist topic."