In the first of two articles looking back at ACCA UK’s Internal Audit Conference, we look at how you can identify and mange risks posed by modern technology.
Digital technology continues to transform and disrupt the business world, exposing organisations to both opportunities and threats. To demonstrate the revolution in modern technology over 50 years, Stephen Hill, managing director of Hill Bingham Ltd, compared Apollo 11, which landed the first two humans on the moon in 1969, with the iphone 6, launched in 2014.
‘A now relatively old piece of technology, the iphone 6, has 130,000 times as many transistors as Apollo 11, is 80,800,000 faster in delivering instructions per second and in terms of overall performance is 120,000,000 times speedier,’ he told delegates at ACCA UK’s annual Internal Audit Conference in Birmingham. ‘Theoretically, it could guide 120m rockets to land on the moon at the same time.’
While there are clearly benefits to this jaw-dropping advances in technology, Stephen suggested the speed of change has increased too quickly to keep up with from a risk perspective. ‘This is the reason cyber criminals are so successful today,’ he said. ‘New technology is creating new opportunities to take advantage of operations that haven’t been tested properly.’
The business models have changed substantially, as well, with just a few examples including Uber, the world’s largest taxi company which owns no taxis, Airbnb, the biggest accommodation provider which owns no hotels, and Netflix, the biggest movie house that owns no cinemas. The transition is also evident in the financial sector, with SocietyOne, the fastest growing bank, having no physical money.
So, what is information technology risk? The Institute of Risk Management definition is simple: any risk related to information technology. Over the last 20 years, risk has centred on issues such as IT security, hardware and software malfunction and power failure leading to data loss. ‘But that’s yesterday’s world,’ Stephen said. ‘One of the biggest challenges is that traditional security models focus on keeping external attackers out, but the reality is that there are as many threats inside an organisation. The risk posed by mobile technology, cloud computing, social media and employee error should be our focus in 2018.’
Examples of high profile disasters in recent years include the Microsoft Azure outage, caused by human error, a cyber-attack on Deloitte that compromised the confidential emails and plans of some of its blue-chip clients, and data theft from Yahoo that affected at least 3bn accounts.
‘We put lot of trust in big companies but cyber-attacks have had big names in the frame,’ Stephen pointed out.
‘Cybersecurity is continuously in the news but the risks posed by weak and outdated security measures are hardly new,’ he added. ‘Cybersecurity is widely recognised as a challenge for governments and businesses alike. It was once considered the sole preserve of IT departments and security professionals but companies now recognise that a wider response is required and boards are seeing cyber-risk not as a technology risk, but as a strategic, enterprise-wide risk.’
Cyber-crime, Stephen explained, can be divided into two: cyber-dependent crime and cyber-enabled crime. Cyber-dependent crimes are offences that can only be committed using a computer, computer networks or other forms of information communication technology. This type of crime is primarily directed against computers or network resources and includes malware, hacking and viruses.
Cyber-enabled crimes are crimes such as theft, fraud, hate crime and sexual offending against children, which are increased in scale or reach by using computers, computer networks or other information communication technology.
At the beginning of 2018, Ciaran Martin, Head of the UK’s National Cyber Security, said: ‘A major cyber-attack on the UK is a matter of “when, not if”.’ Stephen agrees. ‘Everyone in this room and their organisations will experience one,’ he said. ‘We are losing the battle against the perpetrators for three reasons: humans will always make mistakes; system and application vulnerabilities continue to merge; and malware detection will always lag. Worryingly, the gap between attacker capabilities and capabilities of business to protect themselves is growing significantly.’
Impact of a cyber-attack
A cyber-attack can have devastating consequences for an organisation by disrupting the business with resulting financial implications, causing loss of information and data and, perhaps most importantly, damaging the company’s reputation.
Mobile technological advancement brings new concerns, which include potential loss of important business information, theft of the device and navigation of the grey line on privacy and monitoring between personal and company use of the device.
In a snapshot of risks created by cloud computing provision, Stephen highlighted loss of control over data, compliance breaches, inadequate security of data and rogue or phantom clouds. ‘Internal audit needs to understand how the organisation is going to use cloud technology and the risk the business faces,’ he said.
For the profession, assessing risk is about considering what could happen, how bad it could be and how often it might happen, while security is about the protection of data and includes prevention, detection and reaction.
‘Remember why attacks are possible,’ he urged. ‘The top five are that the end user didn’t think before clicking on unprotected websites, using free public wi-fi, or responding to an email; a weak password; insecure configuration; use of legacy or un-patched hardware or software and lack of basic network security protection/segmentation.’
However, on a more positive note, a key cyber-crime prediction for 2018-19 is that employee training will continue to grow in importance, generating the most return on investment out of any enterprise data security solution.
Stephen left his audience with a quote from Iain Lobban, former director of GCHQ: ‘About 80% of known attacks would be defeated by embedding basic information security practices for your people, processes and technology.’
use up-to-date anti-malware and firewall systems
use authentication to allow only authorised people through your perimeter
establish and enforce mobile device management for all remote working
use data loss/prevention technologies to prevent data being leaked
use encryption to protect your most valuable or sensitive data, in addition to strict password policies
train your staff in security awareness
put policies in place concerning the use of social media and BYOD.