Internal auditors say cyber-security is now the biggest risk facing their organisations, in part due to structural insecurities in corporate networks, the threat of data breaches and the growing sophistication of cyber-criminals.
And it’s not just fines that worry auditors but the fact that the regulator can freeze operations by halting the processing of data in the event of a breach.
According to a report by the Chartered Institute of Internal Auditors (CIIA), 66 percent of auditors say cyber-security is one of their top five concerns, placing it ahead of compliance (58 percent) and data security and protection (58 percent). Asked to say what the number one concern was, 15 percent of respondents said cyber-security, placing it number one on the list ahead of compliance (13 percent) and digitalisation (nine percent).
The conclusions are contained in the third annual report, Risk in Focus, published by the CIIA today. It’s based on face-to-face interviews with 42 chief audit executives (CAEs) in eight European countries conducted by the CIIA and six other European audit associations who are members of the European Confederation of Institutes of Internal Auditing. This year, for the first time, the authors of the report also conducted a survey of their members which received over 300 replies from CAEs.
The report found that all CAEs had cyber-security earmarked as a priority in their 2019 audit plans.
CIIA chief executive Dr Ian Peters said: "It is not surprising that organisations are most concerned with cyber-security, compliance and data protection in a post-GDPR world."
He said, "High-profile cyber-attacks such as Petya and WannaCry are becoming more and more prevalent and this means that organisations are only as strong as the weakest link in their IT supply chain."
The report identified the ‘piecemeal approach’ to IT infrastructure planning which companies have taken over the years as a major source of today’s problems. Siloed systems and bolt-on subsystems have been allowed to develop through poor governance and oversight of IT functions, the report said. This has come back to bite organisations, making their heterogeneous systems more vulnerable to cyber-criminals.
It noted that organisations have made great strides in securing their internal networks by upgrading systems and rationalising infrastructure and predicted that attention would increasingly shift to the security of supply chains and trusted third parties.
It is estimated that incidents of malware being used against supply chains in a bid to infiltrate connected targets increased by 200 percent in 2017, a trend which is only set to increase, the report said.
The trend to migrate data and services to ‘cloud’ services will improve security, the report said while noting that it does raise issues of its own. Microsoft noted an increase in attacks against its customers cloud-based systems primarily by password compromise.
However, the report also noted that the General Data Protection Regulation (GDPR) is another source of risk, but not just in terms of fines for breaches. It noted that the owner of the data, the data controller, can be held liable for breaches of the cloud infrastructure, the data processor, "provided the processor has adhered to the controller’s requirements as detailed in the data-sharing agreement/contract".
While fines have drawn all the attention, the regulator also has the power to halt the processing of data in the event of a breach, with the potential to freeze a company’s operations regardless of which party was liable.