The accountancy trade body said businesses must focus their resources better in order to address cyber security threats in "the right places".
"In particular they need to balance investment in existing preventative controls with investment in new skills and solutions in monitoring, detection and response," the ICAEW said in a new cyber security report (20-page / 1.51MB PDF). "Viewing security as a cost or compliance issue is likely to be a significant barrier in this context, and emphasising the positive case for security can lead to greater business commitment."
Board room-level awareness of cyber security issues has improved and many companies are planning to improve their security protections, but a lot of the planning has to be "translated into tangible actions and improved performance", the report said.
"There are questions about whether there is a commitment to deliver real change," the ICAEW said. "While most businesses are concerned about cyber security, it remains to be seen whether it is a high enough priority in most businesses in the absence of stronger commercial or regulatory pressures."
In providing evidence to a parliamentary committee earlier this week, Hugh Boyes, cyber security lead at the Institution of Engineering and Technology (IET), said that a culture shift is needed to ensure that everyone in an organisation is responsible for cyber security and that it is "not just for the specialists".
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that giving more training to staff cannot, on its own, address all the issues organisations face on cyber security.
"When you look at the reasons behind the fines the Information Commissioner's Office has issued in a number of cases, it has often been more about employees doing things that they know they shouldn't do, rather than a lack of awareness," Scanlon said. "For example, sending emails to their personal email accounts to work on from home or using an unauthorised USB stick and introducing viruses into a corporate network, or even the more innocent action of sending a misdirected email. More formalised training will not change these behaviours."
"Rather than focus on what is impossible – preventing all employees from ever engaging in foolish or rogue behaviour, businesses should focus on the time and resources they invest into responding to cyber incidents. Every business needs to acknowledge that the reality is that a cyber attack is inevitable, and plan, prepare and regularly monitor and test its ability to respond and recover from an attack," he said.
According to the ICAEW's report, the increasing use of digital technology by businesses is heightening the cyber security risks they face.
"The importance of cyber security continues to grow as businesses increasingly use digital technology to transform their business operations and customer engagement," the ICAEW said. "Economic growth is leading to new business activity, which in turn creates new cyber risks. Businesses may be acquiring other businesses to support their growth. They may be expanding into new markets or developing new products. In particular they may be looking to exploit digital channels more extensively. All of these activities may expose businesses to new risks in the supply chain, increase the challenges of getting security measures right and heighten the impact of security breaches."
Businesses that are adept at using social media can manage the impact of data breaches better than those that are not, the ICAEW said.
"The growing reach of social media is also exposing businesses with poor response capabilities," the ICAEW said. "Increasingly, news of data breaches or compromises is spreading incredibly quickly across platforms such as Twitter. However, businesses are often slow to respond and only provide limited information to customers, which can amplify the impact of the breach."