In the current climate, internal auditors have a duty to understand what cyber threats mean for their organisations.
Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
Over the last 25 years the internet has evolved from small-scale communications between defence organisations to a global vehicle for communications, service delivery, commerce and marketing. Cybersecurity has paralleled this growth. It has evolved from a technology game played by geeks, to a global problem involving organised crime, systematic fraud and theft, state sponsored espionage, cyber-warfare, and a free-for-all for hobbyists, terrorists and politically inspired hacktivists.
Banks have lost hundreds of millions of pounds. The internet for entire countries has been brought down. One state saw its power grid shut off. And it is estimated that global losses will exceed $2 trillion per year by 2019. In the UK losses are more than £700 per person per year. One hack in the UK alone netted more than £100m in February 2016.
Large areas of the internet are essentially beyond the control of law makers. The laws of many countries are outdated. And so, they host large sophisticated organisations dedicated to cyber-crime who can operate with impunity. The ‘dark web’ - the hidden and unregulated area of the internet - is huge. It is estimated that only 5-10% of the internet is publicly accessible through tools like Google and Bing. It’s an enormous game of cat-and-mouse. Except the cats are criminals and the mice are made of solid gold.
When businesses move online, cyber become a significant business risk - and in some industries, the dominant business risk - faced by boards of directors and shareholders. There have been many high profile expensive hacks and many reputations trashed. As a result, there is increasing regulatory pressure. Companies have been fined for privacy breaches. The UK government has announced a £1.9bn national cyber programme and mandated that all its suppliers have cyber essentials certificates before awarding new contracts. There is an emerging cyber-insurance market that is also driving improved standards such as ISO 27001 Information and Data Security - the latter is not yet universal but will increasingly be a standard requirement.
And finally, as if all this was not enough to draw the attention of the internal auditor, cyber defence expenditure is rising quickly. The market for cyber services reached $170bn this year with one bank alone – JP Morgan – spending $500m on cyber defence in 2016. And this means, despite the complexity and foreign technical language, auditors must come to grips with their organisations’ cyber problems. And that means the modern internal auditor must first understand the basic principles of cyber.
Prioritise cyber expenditure
The first principle is that your business must formally prioritise cyber expenditure. You cannot spend enough to prevent all cyber-attacks. Any increase in expenditure will reduce risk, but risk can never be eliminated. So, some companies give up. They take the view that it is cheaper to pay the regulatory fines and reimburse customers as required. Others will simply outsource everything to ‘the cloud’ - but it’s important to understand that the cloud is just a timeshare on someone else’s computer – a computer that also needs security checks. Neither of these abdication strategies are guaranteed to minimise shareholder risk.
The recommended approach is to understand the criminal threat specifically to you in detail, review your technology and controls, assess what risks lie in your data and processes, look at reputational risk and then prioritise expenditure and counter measures accordingly. An example - most mergers and acquisitions are highly sensitive and managed in conjunction with external lawyers and investment organisations. But most communication between management and professional advisers is by unencrypted email and can be easily intercepted.
The weakest link
The second principle is encapsulated in the famous joke about the bear. When two hunters see a bear approaching, one hunter puts on his running shoes. The other reminds him he cannot outrun the bear. ‘I don’t have to outrun the bear,’ says the first, ‘I just need to outrun you’.
If you are a bank, you don’t want to be the weakest bank. When everyone is vulnerable, your only safety lies in not being the weakest. Understand the norm for your sector, keep abreast of the risks in real time, make it hard for the hackers and they will quickly move on, there is after all a world of easy pickings out there.
The role of humans
The third principle is that cyber is not just a technical problem. Most hacks are simple - tricking someone out of a password, or conning an employee to click on a bad link - these are known as phishing. A common scam is the CEO fraud - where a well-researched and presented email arrives, supposedly from senior management, asking for critical business data or instructing supplier payment.
And then there is the inside threat, the employee gone bad. A good security system looks for changes in people’s behaviour, for when the HR employee suddenly becomes interested in accounts payable. Humans are often the weakest link and cyber awareness training; prompt exclusion of leavers and good password hygiene are basic but important security measures.
Generally accepted security principles
The fourth principle is that, whilst cyber is still evolving quickly, there is a set of ‘generally accepted security principles’, and each organisation should assess, tailor and implement these to meet their specific needs. From a technical perspective, the top five things to check are that the company has procedures for managing:
- boundary firewalls and internet gateways
- secure configuration
- access control
- malware protection
- patch management.
These are the core elements that make up the cyber essentials certification. For more experienced internal auditors, and companies with high levels of exposure, you can use the CIS Critical Security Controls Framework, which contains 20 recommended controls and 149 behaviours to look for.
The fifth principle is to manage data. You want to see that your organisation has reviewed its data assets, allocated owners, ensured they are backed up, determined what is valuable and decided what should be protected - encrypted - either in its databases or whenever data is transmitted. Does different data have different access control - or is everything open once you are in? Does your company review outgoing traffic to ensure that sensitive data is not included (i.e. managing data exfiltration). Whilst some of the technology here is complex, it is easy for an internal auditor to check if these things have been considered.
Prepare to be hacked
And the final principle is that you will be hacked anyway and you should prepare accordingly. Often the losses and reputational damage of a cyber breach are determined more by how quickly and competently the company responds. Your organisation should have a cyber-incident response plan that specifies how an attack will be recognised, who will lead the response, how forensics and investigation will be carried out and - importantly - how you will communicate with clients and regulators. The plan should involve senior management and it should be rehearsed.
In conclusion, cyber fraud is now the dominant business risk for many businesses and both losses and cyber defence costs are rising quickly. Internal auditors must not be put off by technical jargon, can quickly use standard checklists and should stick to their guns in asking basic questions about what assessments and counter-measures -human and technical - have been established.
If you have not been trained by your organisation, then there is a good chance they have not addressed the weakest link - their employees. Act accordingly.
Finally, you can find out more about cyber defence via a series of ACCA webinars.
Stuart Bladen and Jay Abbott – CEO of Falanx Group and MD of Falanx Cyber Defence
Cyber security webinars
ACCA UK's Internal Audit Network ran a series of seven webinars on cyber security from March to September 2016.
Jay Abbott - managing director of Falanx Cyber Defence (part of the Falanx Group of Companies) - presented the series with co-hosts for specialist topics. Jay has over 20 years of industry experience in technology and security. He is a respected keynote speaker who is regularly quoted in the press and a trusted industry expert.
The series covered:
- An introduction to cybersecurity for internal auditors
- Cybersecurity and data security for internal auditors
- Cybersecurity and social engineering for internal auditors
- Cybersecurity and process network control for internal auditors
- Cybersecurity for internal auditors - how you should react when you are under attack
- Cybersecurity and outsourcing for internal auditors
- Cybersecurity for internal auditors - the latest techniques and attacks.
The entire series is now available on demand. Each webinar lasts for an hour and constitutes one unit of CPD where the content is relevant to your current or future role.