Cybercrime: Not if, but when

Criminals exploit chaos. They persuade people to make blunders – such as clicking on a phishing email link – or take advantage of times when normal processes are changing and users expect things to work differently. They know that this is when people are most likely to be vulnerable or corruptible.

Cybercrime has been near the top of risk reports and risk registers for years, but there are three major reasons why internal audit should be looking more closely at cyber controls, policies and security culture now. First, the criminals upped the ante when the world went online in response to Covid-19. Second, shifts to, for example, remote working and purchasing, and restrictions limiting onsite audits will have opened cracks in corporate defences. Third, cybercrime is complex and cyber audits are often outsourced to experts, leading to a myth that “ordinary” internal auditors lack the skills to broach the subject effectively.

Technology has become so all-encompassing that, just as we depend on it more than ever, it seems harder to understand and monitor. It is a truism that all internal auditors need to be more tech-savvy, but what does this mean? Does it mean nagging managers about enforcing password policies or does it mean using data analytics systems? Is there any point worrying about passwords if the hackers are going to bypass them? How can you provide assurance that your corporate structure is secure when you don’t know what your suppliers and customers are doing in the supply chain connected to your systems?

Similar problems can occur when internal auditors raise cybercrime issues with boards. When a subject becomes too specialist, a sense of fatalism creeps in and people think it will be easier and safer to hand the problem to a specialist team or contractor rather than engage with the issues. Fear creates an impulse to avoid, rather than confront the problem.

Until disaster strikes. And it will. This is why internal audit needs to engage with, and urgently insist that management engages with, cyber risk and instilling a strong cyber risk culture throughout the organisation now. The good news is that, while external specialist contractors may be necessary for the technical side of things, there is a huge amount that every internal auditor can do to ensure they are on top of what their organisation is doing and aware of the most significant risks. They can help to spread understanding that cyber risk testing and preventative actions are interconnected, and assess whether management is prepared to deal with a breach and can limit damage when it happens.

“It’s when, not if,” warns Stan Dormer CFIIA and director of consultancy Mindgrove, who runs a Chartered IIA virtual course on Cybercrime and crisis management. “Your organisation needs to know what it will do when its defences are breached and it needs to monitor constantly to spot the signs of a breach as early as possible. You need computers and people checking, for example, everything from systems dropping out unexpectedly to unexplained transactions appearing in the accounts system, or why your servers are sending out bafflingly trivial messages.”

US travel management firm CWT paid $4.5m in July 2020 to hackers who stole reams of sensitive corporate files and said they had knocked 30,000 computers offline, according to a record of the ransom negotiations seen by Reuters.

According to the UK’s National Cyber Security Centre (NCSC), another company that fell victim to a ransomware attack and paid criminals millions for the decryption key to restore their network fell victim to the same ransomware gang less than two weeks later, after failing to examine why the attack was able to happen in the first place.

“The lesson is that if you pay a hacker you may be targeted again,” warns Dormer. He points to the alternative example of Danish company Demant, which was hacked and refused to pay the ransom. The company set about recovering its own systems, but estimates that its long-term clear-up costs will be between $80m and $95m. The company had cyber insurance, but it covered only €14.6m of these losses.

“If you seriously want to breach an organisation you don’t knock on the door with a gun in your hand, you infiltrate gradually and gain the victim’s confidence. It’s a slow game and it’s often about gathering intelligence as much as creating the potential for disruption,” Dormer warns. The most effective breaches may not leave any traces at all, because the aim is to remain undiscovered – exfiltrating data – for as long as possible.


People power

HR is another important element in the non-high-tech security jigsaw. Be careful who you wish for. Derek Jamieson, director for regions at the Chartered IIA, who recently organised a Chartered IIA Heads of Internal Audit Forum on cyber security, warns that criminal gangs are known to be operating through recruitment companies offering skilled IT staff. Demand has soared since companies moved online in global lockdowns. Why send phishing emails or try to corrupt staff when you can infiltrate the heart of the IT system by getting the company to hire you? The clever part is that the first temp supplied may not do anything wrong – or may just gather intelligence. Once they become a trusted supplier, they will have many more opportunities.

Corrupt employees are another risk, which is where HR, management and cultural audits play a part. How well do managers know their teams and are they aware of changing circumstances that could lead to temptation, such as a spouse being laid off or a recent death in the family? It’s thought that half of all breaches are done in collusion with an insider either for money or for revenge – something to consider in a recession if you are making people redundant or cutting pay or hours.

Education and discipline are also important, but everyone makes mistakes, particularly when under pressure and working in stressful situations remotely at home. Some companies threaten that anybody who breaks corporate cyber policies will face disciplinary consequences. However, this may be too simplistic. It can be hard to enforce, may encourage people to cover up mistakes and senior managers could end up having to fire themselves.


The back door

Suppliers, customers and anyone else who connects to your system is a potential weak link. Dormer tells of cyber attacks late last year which ultimately led to the breach of a software firm. The hackers used this breach to get into the software distribution chain and, from there, into its customers’ systems – including the US Department of Homeland Security and multiple companies in the defence industry. This attack seems to have been used primarily for eavesdropping and gathering information.

“All companies should be watching transmission connections between themselves and partner organisations – anywhere where information flows in and out,” Dormer advises.


What to do now

It’s still worth checking that your organisation has all the best-practice IT controls – and is employing them – but these are defensive structures, warns Dormer. “Most expert hackers don’t challenge these measures. They’ll compromise code or get in via alternative pathways.” Strong security mechanisms may even be counterproductive if it means that staff can’t operate systems without challenge and may be tempted to circumvent rules to save time.

Education for staff and managers, fake phishing attacks and cultural audits are all important to protect the company at the first level, but what is vital is a Plan B. You cannot prevent an attack, but you can ask the right questions and make management think about early warning signs that the system is compromised, the implications of an attack (from theft, system failures and ransoms to reputational losses) and emergency protocol. Who is notified first? What gets shut down and when? Who speaks to the press, suppliers, customers, staff and, where necessary, regulators, and posts on social media? Does your insurance cover the situation?

“When flood water starts rising, you watch and adjust your dam’s defences, but you can’t assume that they will hold forever, under all possible conditions,” Dormer says. “You monitor the situation constantly. You need to know who you should get together to make decisions, at what point do you watch and gather evidence and when do you pull out the plug? If you need to shut down part or all of a system, do you have a back up? And what do you do if you can’t shut down – for example, if you have aeroplanes in the sky being targeted?”


Mind the culture gap

Our new cyber security report Mind the Gap: Cyber security risk in the new normal, carries a number of useful findings that are relevant to this piece:

51% of senior internal auditors report suffering a cyber attack in the past 12 months that impacted products and services.

81% include cyber security in audit plans.

58% identify threats and audit the mitigation plan.

62% conduct risk assessment in collaboration with IT and risk colleagues.

But only

41% said they discussed cyber security risk with the board.

32% contribute to cyber security strategy/policy.

31% create a culture to learn from mistakes.

33% assess whether their organisation is investing in security training for employees.

27% of organisations use employee training to manage and mitigate cyber risk.


The public sector view

“We’re currently going through our audit planning process and one of the key things we refer to is external risk reports. The Chartered IIA’s Risk In Focus report highlighted the increase in phishing and cyber attacks, and cyber risk is always on all local authorities’ strategic risk lists, so this also feeds into the process,” says Russell Heppleston, deputy head of audit partnership at Mid Kent Audit, which provides internal audit services to councils in Kent.

However, this year his team is working differently. “We’re looking at specific risk areas, rather than the broad sweep of ‘cyber risk’. We feel it is a better use of our resources to target audits to the main concerns. In particular, we’re actively looking at what has changed because of Covid-19.”

His team is also seeking other forms of assurance. Most of the bodies they audit do independent cyber phishing tests, so Heppleston is using the results of these tests and identifying whether they are followed up.

“Doing a deep dive on a defined area of cyber risk is a new approach for us,” he says. “Lots of IT risks are not high tech and we can test and check whether controls work using core internal audit skills. We’re also doing this work cross-authority for our local authority clients so we can share insights, risk responses and lessons learnt”

“This isn’t just because of Covid, but the shift to remote working has increased the risks,” he adds. His team audited agile and remote working practices last year and are also auditing staff wellbeing. All are new areas for the internal audit team and originated from a response to the pandemic and new ways of working.

“It’s about keeping up with changes in the organisation and highlighting shifts in risk to the executive,” he adds. “Because cybercrime is always high on the priority list, people can get complacent and think it’s covered. Internal audit can make sure managers focus on what has changed.”

This is why he shares examples of successful attacks (and their outcomes) reported in the media with all his clients. “We’re also looking at the cultural angle here and education is vital,” he says. “It may be more difficult to do cultural and behaviour audits remotely, but we’re seeing ever more ‘lockdown fatigue’ because everyone is tired and stressed. This increases the likelihood of people making mistakes, so it’s important that we continue to keep assurance relevant and targeted at the right areas.” 


The private sector view

For Coca-Cola, operational technology (OT) is as important as IT. “My team works across both types of cyber risk and we have almost doubled the number of IT and cyber audits in the past year, so this is massive for us,” says Charlie Miller, who leads the IT audit and data analytics team at Coca-Cola European Partners corporate audit services.

Remotely auditing OT risks is particularly challenging since these systems are often not managed by the IT department, he explains. “Normally there is a cyber audit element whenever auditors go on site visits. Security culture is key and you only get a feel for this if you see people on site.”

He and his team tailor the audit procedures to counter the risks of remote working and phishing attacks, speaking openly with employees about these risks. “Humans are the weakest link, so training and education tailored to meet local needs across our 13 countries is hugely important for us,” he says. “Coca-Cola also tries to educate customer teams, notifying them if we see a new attack. Our IT audit team meets the chief information security officer regularly.”

Another major issue for Miller is to ask how quickly the organisation could recover if it were attacked. “Can we recall all our data and get our operations running again?” This also involves checking that the company’s connections with suppliers are secure and whether they too have adequate recovery plans.

Artificial intelligence and robotics bring further risks. “As more is automated, more risks arise with areas that are not fully under control,” Miller says. However, data analytics makes it possible to audit data sources and themes that were not on internal audit’s radar previously, such as analysing helpdesk tickets and social media.

“This is where it gets interesting and there is a world of data out there that is under-utilised. It is broader than IT audit and goes beyond any single team or manager, so it needs wide collaboration across teams,” he says. “People think of data analytics in terms of financial data, but there is a huge amount of value in non-financial data analytics work.”

“We want to empower non-IT auditors to embed key basic IT controls to run as standard in all field audits so some elements of IT audit are ubiquitous and operate like a triage system,” he explains. “One of the biggest parts of strategy is deciding what not to do. All organisations need to reassess regularly and this should help us to see what needs specialist input and what doesn’t.” 


 

The financial services view

Cyber risk is a catch-all phrase, but the risk profile changes with emerging technologies, shifts in the work environment and as hackers develop new methods and tools. Things that weren’t threats become threats, points out Mumtaz Ansari, senior internal audit manager at Allianz UK. In addition to dealing with the pandemic, Allianz completed a large merger last year, so internal audit adapted its audit plan and approach to provide assurance on IT and information security controls and processes.

“Cyber risk was always on our radar from an assurance perspective because of the impact it can have on reputation and disruption to the business. Since the pandemic, this risk has evolved. People working remotely are isolated and hackers are exploiting this, for example with increasingly sophisticated phishing attacks via phone calls, emails or by infiltrating insecure meeting tools,” Ansari warns.

Internal audit has been conducting audits on topics such as security of IT networks and tools, information security awareness, and processes and controls in the remote working environment that include issues such as staff wellbeing.

“We assess whether all remote workers have secure configurations and are following protocols and complying with data regulations. The switch to remote working increased stress on IT teams, equipment and resources, so we are assessing whether performance and capacity management processes are being proactively managed to fulfil heightened business demands," Ansari says.

The audit team is also looking at the management and resilience of IT third-party services. The security and availability of third-party services is vital – especially since some third parties may be in financial trouble or under stress.

Organisational responses to security incidents are important too – how robust are the incident management mechanisms set up to deal with security incidents and manage continuity of the business? Do employees know what to do if they click on a suspicious email? Whom should they tell? What is the corporate response if the system is compromised? Can they detect an attack? How soon would they know and how fast and effectively could they manage the situation? Do they have resources and experts who could help?

Cyber risks will continue to “bubble up” from the pandemic, Ansari predicts. "We also have to look at capability in the internal audit team – do we have people who understand the risks and the control environment?” 

The Chartered IIA's new report Mind the Gap: Cyber security risk in the new normal offers research and guidance on internal audit's role in promoting a strong cyber security culture.

This article was first published in March 2021.