(c) Institute of Chartered Accountants in England and Wales. Contact ICAEW for permission to reproduce this article., Information Technology

Cyber security: coping with increasing complexity

Complex legacy it environments hinder good cyber security

Many large organisations struggle with complex legacy IT environments made up of fragmented, non-standard systems that often need to be supported by information held in spreadsheets. These complex IT environments are typically the result of many years of business and IT decisions, and one of the unintended consequences is that it makes good cyber security, such as patch management, much harder. In the longer term, organisations need to reduce the complexity of their IT architecture and simplify their systems. Yet even if companies were to rip their systems out and start again, the continual level of change means that complexity could easily creep back into the IT environment. Consequently, the most fundamental improvement that businesses can make is to embed cyber risk into decision-making across all business activities.

Despite improvements, there is a substantial gap in cyber security maturity levels

There have been significant improvements in cyber security in most organisations over the last five years, reflecting substantial investment in cyber security programmes. There has been a particular emphasis on getting basic security practices right. Following the real-world impact of some high-profile breaches, such as Wannacry and NotPetya, businesses are also placing much greater emphasis on resilience, recovery and response to breaches. However, there is a wide range of maturity levels in cyber security practices. The most mature companies are typically found in sectors such as financial services and technology, and are spending a lot of money combatting intensive cyber attacks.

Business needs a smarter approach to cyber security laws and standards

Greater board engagement has been driven to some extent by regulators and governments, who have increased the pressure around cyber security over the last two or three years. This includes hard legal requirements. For example, the General Data Protection Regulation (GDPR), which updates personal data laws across Europe, will have a widespread impact as it comes into force. There has also been a proliferation of cyber security standards around the world. While these all may be well intentioned, and aim for the same broad objectives, there is little co-ordination between initiatives. Consequently, businesses must become more proactive in developing a specific strategy around cyber security laws and standards that maps different requirements and builds broad capabilities to comply.

This article was originally published by ICAEW.