Over half (51pc) of businesses have suffered a cyber-attack in the last 12 months that has impacted products and services, according to new research out today. The report, Mind the Gap: Cybersecurity risk in the new normal, published by the Chartered IIA (Chartered Institute of Internal Auditors) is based on research during lockdown across all sectors, looking at cybersecurity risk.
Internal auditors report that the biggest barriers to implementing better cyber security practices during the pandemic are competing priorities (48pc), employees working remotely (42pc), and insufficient budget (28pc). Cyber criminals are taking advantage here, increasing the speed and sophistication of cyber-attacks. With many organisations looking to make working remotely permanent, implementing a strong cyber security culture has never been more urgent.
The Chartered IIA’s research demonstrates a concerning gap between understanding the significance of a strong cyber security culture and achieving one. Almost all (91pc), of internal auditors responding, state that implementing a stronger cyber security culture within their organisation would prevent attacks, and most (79pc) reported having practices in place to promote effective cyber security culture, however only two thirds (65pc) actually ensure employees at all levels are aware of their role in cyber security. This proves there is work to be done for internal auditors to ensure robust cyber security-aware cultures are established and operating effectively.
Findings include:
– A general awareness of the importance of employee participation, with the top three methods used to manage and mitigate cyber security risk being: securing infrastructure (46pc), installing anti-virus protection software (29pc), and employee training (27pc).
– Only 33pc assessed whether their organisation had invested in security training for employees adapting to the new remote working environment, lack of such training could then contribute to lapses in human defences during the pandemic.
– Limited commitment to developing a strong cyber security culture, with only 32pc contributing to cyber security strategy/policy in their organisation, and only 31pc report helping to create a culture to learn from mistakes.
– Almost two thirds (65pc) reported that cyber security conversations had increased since the beginning of the pandemic.
The findings highlight the gap between awareness and action on the human layer of cyber security, which is of greater importance than ever due to the new working normal. Vodafone and the NHS have each contributed best practice tips to the report.
John Wood, Chief Executive of the Chartered IIA, said: “The perennial risk of the 21st century is cyber security, and this has been propelled to the forefront of most businesses’ minds over the last 12 months. The operational disruption and challenges that working from home has brought means it has never been more urgent for businesses to integrate an effective cyber security culture into their organisation.”
For the full report visit the IIA website. Some 177 senior internal auditors took part in the survey.
Comment
Chris Ross, SVP, International at Barracuda Networks said: “The pandemic has presented serious challenges to company’s cyber security policies, with many businesses struggling to effectively equip its distributed workforce with the tools and know-how to defend themselves against the increasing threat facing them. In a home environment, weakened security gives cyber attackers opportunity to hack into home networks, via IoT devices, shared devices or unsecured or public WiFi networks.”
“Combatting the issue from a business perspective requires an overhaul of cybersecurity policy. Personal devices must be protected with VPN or ZTNA software, and public cloud applications and infrastructure should be properly protected with the right application security. Employees should go through regular training on the evolving cyber threatscape, and learn the best-practice security methods when working from a remote environment. CSOs and IT managers also have a responsibility to remain on the lookout for new angles and entry points to their system, which hackers could find, and take advantage of, unless properly diagnosed.”
