Audit & Risk

UK organisations double cybersecurity spend, but lack crucial information

The latest Global State of Information Security Survey from PwC suggests that UK organisations are belatedly trying to shore up their cybersecurity provisions, but that many still need to move cybersecurity up the boardroom agenda if they are to see real results.

in News.

Article Image

UK organisations doubled their information security budgets last year, spending £6.2m on average (compared with £3m in 2015), and over one and a half times more than their global counterparts (the average spend is £3.9m). Despite this, nearly a fifth (18 per cent) don’t know how many cyberattacks they experienced last year and 17 per cent of all respondents don’t know the probable source of security incidents, according to PwC’s latest annual Global State of Information Security Survey 2017. Security incidents now cost organisations an average of £2.6m (up from £1.7m last year) and executives around the world are realising that they cannot afford to ignore protecting their assets, researchers said.

The survey was produced in conjunction with CIO and CSO, based on interviews with over 10,000 executives from more than 133 countries, including 479 UK respondents. Key findings include: 

  • 18 per cent of UK organisations don’t know how many cyberattacks they suffered last year. 
  • Nearly eight in ten experienced down-time because of security incidents. 
  • The average number of security incidents faced by UK companies increased by 23 per cent to 5,792. 
  • Incidents now cost an average of £2.6m, up 53 per cent from last year. 
  • Only 28 per cent of UK boards are involved in setting security strategy.
  • Current employees continue to be the top insider risk, but increasingly business partners are also a risk.

“We’re beginning to see a shift in thinking. Organisations have come to realise that they can’t view cybersecurity as just a cost or barrier to change given the many high-profile incidents we’ve seen recently,” said Richard Horne, UK cybersecurity partner at PwC. “Getting security right is not only essential to the day-to-day running of a business, but can even be a competitive advantage, help to drive business growth and build brand trust.”

The survey found that UK boards are less involved than those in other markets in setting the security budget and, more importantly, the strategy. The sets security budgets in only a third of UK companies (33 per cent) (compared with a global average of 39 per cent) and even fewer (28 per cent) are involved in security strategy (compared with 42.5 per cent globally).“Cyber security is far more than just building security controls – it’s about changing your organisation to be securable,” Horne added. “That requires all aspects of a business to be engaged, to make tough decisions at board level, and embed consideration of cybersecurity risk in all decision-making processes.  

Although the main insider risk and source of incidents for UK organisations continues to be current employees (with former employees a close second), service providers, consultants and contractors are increasingly likely to be the cause of cyber-threat to a business. Phishing still works to target these groups – 37 per cent of cybersecurity breaches were reportedly caused by phishing incidents.

“Instilling a cyber-aware culture in an organisation, and controlling who has access to what information, continues to be of utmost importance. Even with the best technology available on the market, employees can still be your weakest link,” Horne warned. “But when trying to assess your ‘insider’ risk, it’s important to look not only at your internal data, people and processes, but also at the third party relationships closely connected to your business – that is where the threat increasingly lies.”

The IIA: find out more

Visit the main IIA site

Jobs

Auditor

Post Number: FSA02
Grade: 7- SO2 Salary: £23,166 - £29,854
Hours: 37 per week

Audit Manager

£38,789 - £42,474 pa
37 hpw, permanent.

Senior Internal Auditor

Sector: Not For Profit
Salary: £41,000 (raising to £46,000 after probation)
Location: London
Job Ref: SD/148943

Careers advice

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Training & Development

CPE: Solid foundations

Continuing professional education is an important tool for developing your skills, progressing through your career and ensuring that the qualification and the profession are respected. The Chartered IIA’s CPE requirements will be changing in April to bring them into line with those of IIA Global. So what do you need to know to stay ahead?
Words: Ruth Prickett

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Tools

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

Early warning systems

New regulatory demands for whistleblowing – or “speak up” – policies are raising the bar on best practice. Internal auditors need to take note.
Words: Alexander Glebovskiy

CPE: Solid foundations

Continuing professional education is an important tool for developing your skills, progressing through your career and ensuring that the qualification and the profession are respected. The Chartered IIA’s CPE requirements will be changing in April to bring them into line with those of IIA Global. So what do you need to know to stay ahead?
Words: Ruth Prickett