Audit & Risk

UK organisations double cybersecurity spend, but lack crucial information

The latest Global State of Information Security Survey from PwC suggests that UK organisations are belatedly trying to shore up their cybersecurity provisions, but that many still need to move cybersecurity up the boardroom agenda if they are to see real results.

in News.

Article Image

UK organisations doubled their information security budgets last year, spending £6.2m on average (compared with £3m in 2015), and over one and a half times more than their global counterparts (the average spend is £3.9m). Despite this, nearly a fifth (18 per cent) don’t know how many cyberattacks they experienced last year and 17 per cent of all respondents don’t know the probable source of security incidents, according to PwC’s latest annual Global State of Information Security Survey 2017. Security incidents now cost organisations an average of £2.6m (up from £1.7m last year) and executives around the world are realising that they cannot afford to ignore protecting their assets, researchers said.

The survey was produced in conjunction with CIO and CSO, based on interviews with over 10,000 executives from more than 133 countries, including 479 UK respondents. Key findings include: 

  • 18 per cent of UK organisations don’t know how many cyberattacks they suffered last year. 
  • Nearly eight in ten experienced down-time because of security incidents. 
  • The average number of security incidents faced by UK companies increased by 23 per cent to 5,792. 
  • Incidents now cost an average of £2.6m, up 53 per cent from last year. 
  • Only 28 per cent of UK boards are involved in setting security strategy.
  • Current employees continue to be the top insider risk, but increasingly business partners are also a risk.

“We’re beginning to see a shift in thinking. Organisations have come to realise that they can’t view cybersecurity as just a cost or barrier to change given the many high-profile incidents we’ve seen recently,” said Richard Horne, UK cybersecurity partner at PwC. “Getting security right is not only essential to the day-to-day running of a business, but can even be a competitive advantage, help to drive business growth and build brand trust.”

The survey found that UK boards are less involved than those in other markets in setting the security budget and, more importantly, the strategy. The sets security budgets in only a third of UK companies (33 per cent) (compared with a global average of 39 per cent) and even fewer (28 per cent) are involved in security strategy (compared with 42.5 per cent globally).“Cyber security is far more than just building security controls – it’s about changing your organisation to be securable,” Horne added. “That requires all aspects of a business to be engaged, to make tough decisions at board level, and embed consideration of cybersecurity risk in all decision-making processes.  

Although the main insider risk and source of incidents for UK organisations continues to be current employees (with former employees a close second), service providers, consultants and contractors are increasingly likely to be the cause of cyber-threat to a business. Phishing still works to target these groups – 37 per cent of cybersecurity breaches were reportedly caused by phishing incidents.

“Instilling a cyber-aware culture in an organisation, and controlling who has access to what information, continues to be of utmost importance. Even with the best technology available on the market, employees can still be your weakest link,” Horne warned. “But when trying to assess your ‘insider’ risk, it’s important to look not only at your internal data, people and processes, but also at the third party relationships closely connected to your business – that is where the threat increasingly lies.”

The IIA: find out more

Visit the main IIA site

Jobs

Senior Auditor

Ref: HE/3188
Directorate: Finance & Business Services
Location: Nationwide
Salary: £40,188 - £44,208
Number of Positions: 5
Full-time

Principal Auditor

Salary: £36,937 - £39,660
Permanent – 37 hours
Location: Westgate Plaza One, Barnsley, South Yorkshire

Careers advice

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Training & Development

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

PwC launches cyber-breach simulation game for executives

Big four consultancy PwC has launched "Game of Threats" – an interactive game to teach senior executives the risks of cyber-attacks and encourage them to test how they would respond in real time.

Tools

Harnessing the power of technology in ERM: driving a continuous and verifiable process

Sponsored content
Some of the greatest strides in the formalisation of enterprise risk management (ERM) have occurred within the past decade – prompted by problems such as the global financial crisis and the increasing threat of cyberattacks. So how do organisations effectively focus on a formalised risk management structure? Workiva's white paper "Harnessing the Power of Technology in ERM: Driving a Continuous and Verifiable Process" suggests some answers.

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

Raising Standards

IIA Global is introducing two new professional Standards and updating some of its existing Standards with effect from 1 January 2017. So what are the changes?