Does your internal audit team have the knowledge and skills to play its part in the defence of shareholder value from cyber attack?
A cyber attack is ‘an attack by bad people trying to stop an organisation working, or to steal its information or to change that information for their own gain’. This was the simplified definition Darren Brooks, practice director for Wipro, offered his audience at the annual ACCA Internal Audit Conference, held earlier this year in London.
These ‘bad people’ include: governments involved in cyber espionage; cyber activists, often focused on a particular cause; and cyber criminals, interested in making money, usually quickly. The latter, he added, represents a particular threat for any business that has exposed financial data or access to data that can influence market prices.
‘One of the most worrying aspects of successful cyber attacks is that around 50% of the organisations affected don't know how the bad guys got in,’ Darren said. ‘There are many possible reasons – and there is no doubt that increasingly sophisticated tools are being used – but poor IT hygiene is all too often the culprit. IT departments getting outsourced and corners being cut is also a big issue. And so is the fact that, in some organisations, it is not clear who is responsible for cyber defence. These cyber attackers are waging war and that’s not good enough.’
Others ways perpetrators ‘get through’ might include: lack of security organisation/controls; inadequate operational security tools/capabilities; limited end user security education; and zero day or targeted attacks.
Evolution of cyber attacks Over the last five years cyber attacks have evolved significantly. ‘Many countries, for example, have seen this capability as a quick and cheap way of acquiring weapons which can do more damage to sophisticated enemies than conventional weapons,’ Darren explained. ‘A low level of cyber activism, which began in the mid-1980s, also remains in the background because the internet creates a platform which enables activists to reach a global audience. Cyber crime continues to grow steadily with conventional criminals realising it offers rich pickings with a lower level of risk.’
Moving into the anatomy of a sophisticated cyber attack, Darren explained that it could be broken down into seven stages:
command and control
actions on the objective.
Among current trends is a convergence of cyber and fraud, evidenced by the use of a combination of denial of service (DOS) smokescreens, internal facilitation and data theft in many recent attacks on financial services companies. Proliferation of advanced cyber-attack tools, as well as a re-emergence of old techniques, such as Trojan horse malware, phishing and spearphishing (more sophisticated attacks targeted at specific organisations and/or people and originating from plausible sources) and a return to perimeter attacks are also common.
Building a defence So what defence can organisations make against a cyber-attack? ‘You have to assume that the bad guys will get through and understanding your company’s cyber risk is key,’ Darren told his audience. This risk might be cyber espionage, involving silent copying of commercial information, which could impact on any organisation with IP, M&A data or high-value contract data. Or it could be damage to a brand through negative publicity; sabotage; client loss; or direct fraud.
Once the risk is determined, the next move is to make ‘an active risk decision’. There are various options under this heading, Darren explained. An ‘avoiding risk’ decision is a limited option, while ‘stopping or preventing cyber risk’ is difficult and requires significant ongoing investment of time and resources in security controls. Other options include transferring or outsourcing risk, reducing its impact or simply accepting it.
The plan, do, check and act stages of resilience are already well understood by internal auditors but Darren highlighted checking as particularly important, explaining that under this heading comes monitoring networks, undertaking internal vulnerability scans and commissioning third party penetration tests.
The role of internal audit One of the most important aspects of cyber security, however, is to know who is responsible for it. Darren was clear that responsibility starts with the board. Among the many questions internal auditors need to ask its members, he said, were those covering security governance, leadership, culture, reporting and strategy. And perhaps the two most important are: ‘is the board providing leadership on cyber security?’ and ‘is it providing the “right tone from the top”?’
Turning next to the layer of people who manage security within any organisation, Darren said that it is the job of internal audit to check whether the organisation has a good level of understanding of risk and threat – whether cyber risks are assessed and managed based on appropriate information using the latest industry guidance – and if they are able to implement the strategy that the board has signed off. Are they compliant with regulations, legislation and agreed industry standards? Is appropriate training being offered to end-users and is it working? Who and where is the point of contact in case of a serious incident?
Darren also highlighted the importance of asking questions around any plans for investment in new controls. What are they and where is the organisation in the cycle of acquiring and implementing them? ‘It is surprising how often I still come across businesses which have invested in all the latest toys but which are simply not doing what they’re supposed to do,’ he said. ‘And that means internal auditors can’t ask the next question, which is: are they providing the value for money we said they would?’
There are two more questions internal auditors should be asking their businesses, Darren concluded:
can we log the activities of our administrative users – are we looking at what they’re doing?
do we know what our valuable data is and where it is?