Businesses do not audit their IT systems thoroughly enough given the risk and potential impact cyber attack, according to a new report from UK think-tank Chatham House.
The report, funded by UK IT security provider Detica, says that the failure of IT audits to take in the wider business environment indicates a "deficiency in general boardroom-level understanding of cyber dependency and provides some evidence of a systemic failure in risk management".
At one company that Chatham House studied, ICT staff that raised cyber security concerns to senior management were told there was no money available to invest in defences. This, the report says, demonstrates that "senior management had little sense of the company’s unmitigated cyber dependencies".
"While the question of cyber security appears to be ascending in boardroom consciousness, many senior managers still seem largely uninformed about the nature of cyber threats to their businesses," the report says. "Just as significantly [they] do not know where to turn for high-quality information on threats and responses."
The report is clear that businesses must take responsibility for their own protection, with government playing a role of "shaping the discourse, informing wider society and raising levels of awareness".
Chatham House also detected among businesses a contradictory attitude towards IT security. "They declared themselves to be aware of cyber security threats," it says. ‘Yet these same organisations were willing, for a variety of resource and other reasons, to accept an unexpectedly high level of risk in this area."