Cyber security heads risk list for audit chiefs in European Institutes’ joint report

Graph 1

Graph 1

New research findings based on the responses of over 300 chief internal auditors working in organisations across Europe reveal the top risks facing organisations across the private and public sectors in 2019, with cyber security commanding the Number One spot.

Cyber security is now such a big concern for chief internal auditors that a clear two-thirds (66%) majority of all the respondents that took part in the study* said it’s now one of the Top Five risks their organisation faces. Internal audit advises the Board on the effectiveness of an organisation’s management of risk.

The research results are published in the latest annual risk report entitled ‘Risk in Focus’ produced by seven European institutes of internal auditors and covering eight EU countries. The report highlights the top risks that should be high on organisational agendas in 2019 and further into the future.

The top risks facing organisations, as identified by chief internal auditors, are cyber security (66%), compliance (58%), data security and data protection (58%), HR and people risk (42%), regulatory change (37%), digitisation (36%), innovation (28%), culture (25%), outsourcing and third party risk (24%) and political uncertainty (23%).

Dr Ian Peters MBE, CEO of the Chartered Institute of Internal Auditors, said: “It’s not surprising that organisations are most concerned with cyber security, compliance and data protection in a post-General Data Protection Regulation world. Cyber security has been a high-priority risk for a number of years and this shows no signs of abating. However, companies are pushing to move away from legacy systems and, as approaches to managing cyber risk mature, attention is turning to third-party defensibility. High-profile cyber attacks such as Petya and WannaCry are becoming more and more prevalent and this means that organisations are only as strong as the weakest link in their IT supply chain.”

A major obstacle to mitigating cyber risk is the piecemeal approach organisations have taken towards their IT infrastructure planning and development over past decades. Poor governance and oversight of IT functions has meant that businesses have gradually built siloed systems and bolted on parts of their network over a period when cyber risk was low.

It’s important now that organisations look at outsourced or third party supply chains to ensure that they’re not vulnerable to cyber attacks.

Methodology underpinning the research

Graph 2

Graph 2

In the first half of 2018, seven institutes of internal auditors from France, Germany, Italy, the Netherlands, Spain, Sweden and the UK and Ireland distributed a quantitative survey to chief audit executives (CAEs). The survey received a total of 311 responses from CAEs in all territories and across a broad cross-section of industries.

Respondents were asked to score the biggest risks their organisations face from 5 to 1, with five being the top risk and one being the fifth biggest risk. This gave a picture of risk priorities in two ways.

First, it showed which risk areas are considered to be one of the Top Five biggest risks to the organisation ie which risk areas scored at least one point from respondents (regardless of whether it was 5-1). This is illustrated by Graph 1. Cyber security came out on top, with 66% of CAEs saying it is one of their Top Five risks.

Second, it showed which risk areas are considered to be the single biggest risks the organisation faces ie those risks that received five points from respondents. Cyber security once again led these results, with 15% of CAEs saying that it’s their single top risk. This is illustrated by Graph 2.

For the first time this year, and to supplement the interview process, a survey (that received more than 300 responses) was distributed. This quantitative research augmented the overall report by providing data on the biggest risks that CAEs believe their organisations face.

*The full report can be found at

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts