9 Virtual Brochure – March 2025 Commentary on significant and increasing risks 1.1 Cybersecurity and data security ppt compared to 2024 It’s no surprise that cybersecurity continues to be the top rated strategic risk for the majority of European businesses and organisations covered by the ECIIA survey. Respondents expect this to remain the case in five years’ time, although the overall percentage ranking this as their top risk is anticipated to decline. The report highlights a large increase in sophisticated phishing attacks, hybrid attacks, and the emergence of AI-generated deepfake attacks over the last 12 months. Additionally, businesses highlight growing concerns about security vulnerabilities at suppliers and partners and the imperative of evidencing the adequacy of security controls at third parties, rather than taking this on trust. While having robust incident management, disaster recovery and business continuity plans – and testing these - are considered to be essential controls for businesses, the report identifies an increased emphasis on strengthening identity and access management across the employee lifecycle, the greater use of analytics to identify potential weaknesses, and the increasing use of AI- powered defense tools. Considerations for HE Government statistics on cybersecurity breaches 1 for 2024 suggest that 97% of HE institutions were subject to an attack in the last year. Of those surveyed, 100% reported phishing attacks and 90% impersonation attacks. Perhaps surprisingly, 27% reported unauthorised access by staff, higher than unauthorised access by outsiders (20%). While 97% reported that they have identity and access management in place, the incident data questions the effectiveness of controls. Additionally, only 58% reported that they monitor supply chain cyber risks. We encourage institutions to discuss: - Does your governing body and audit committee membership have sufficient understanding of cyber risks and industry standard approaches to management and mitigation? - To what extent are new forms of attacks, particularly hybrid attacks involving impersonation, included in your employee training and systems testing? - How well integrated, secure and effective are your HR and identity and access management processes? What evidence do you have that this is rigorous and robust? - How strong is the cyber and data security culture of your suppliers and any partners with access to your systems? How is this being tested and evidenced in practice? - How effective is the overall design of your assurance framework? How is this being tested and reported through governance structures? 1 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-securi- tybreaches-survey-2024-education-institutions-annex -1
RkJQdWJsaXNoZXIy NTI5NzM=