Virtual invaders: how geopolitics affects the risk of cyber attacks

When Magdalena Skorupa presented a session for the Chartered IIA’s Heads of Internal Audit Forum in May she highlighted problems that she was experiencing first-hand in her then role as cyber director, IT risk, data privacy, validation and compliance, at Reckitt, and in her daily life in Warsaw, Poland.

She highlighted the immediate effects of a refugee crisis and of war just across the border in Ukraine – soaring inflation and interest rates, pressure on salaries and resources, panic-buying and stockpiling and a surge in cybercrime. Many of these issues were still rumours and predictions, rather than daily realities, in western Europe.

Since then, so much of what Poland was experiencing is now happening to us, at home and in our organisations – here and now. To combat these kinds of global risks, internal audit, like the cyber criminals, needs to operate across borders, spotting what’s happening elsewhere and helping organisations to prepare.

 

Lesson 1: Cyber warfare has no borders

Cyber warfare has no borders – I am talking about the problems experienced in Poland, but this is not just about an invasion of Ukraine by Russia. Understanding how a changing impetus for, and focus of, cyber warfare can affect one country or business, shows how it could also affect others further afield.

The cyber security risk landscape has changed significantly over the past few years – first because of Covid and then because of the Russian invasion of Ukraine. If internal auditors and those involved in risk and governance are to help our organisations combat these growing, global risks, we need to ask questions about what is the new risk profile for our businesses, what are the potential risk impacts – and what is the role of the risk and internal audit teams?

Over the past 20 years, I have worked in a variety of roles focusing on IT, cyber, internal audit and consulting. I’ve been at Reckitt for four years and, during this time, the risks from cyber attacks and threats to the cyber landscape have shifted dramatically.

The Covid pandemic had a significant impact on the way we operated – as it did on most businesses. We switched to everyone working from home and adjusted to the fact that people had to isolate if they tested positive. From one day to the next, the company had to work out how to balance its resources, how it could stay secure and ensure that employees knew what to do and how to behave in a very different world.

Although we had plans in place and were prepared to work wholly in the cloud, we still had to expedite these activities to the highest priority level to ensure that our people and our data were safe.

The situation changed again when, on 24 February this year, the Russians invaded Ukraine. While this had been on the cards since 2014, it was still hard for most of us to believe the magnitude of what we were seeing.

For a start, there was a sudden influx of Ukrainian refugees, particularly into Poland, where 3.5 million of the total six million refugees are recorded. These are “officially registered” refugees – there are probably many more who came to stay with family members who were already living and working in Poland.

The largest numbers arrived in the first two to three weeks of the war and most settled in the main cities: Warsaw, Gdansk and Krakow. This created many challenges, including having social impacts in terms of accommodation and on the workforce, food and supplies, education and access to medical treatment.

 

Lesson 2: Fake news has real impacts

Russian disinformation quickly became an issue. It is difficult to pin down because it changes from day to day. Fake news began to arrive on 24 February and has had a variety of targets and effects on individuals and businesses. For example, information that petrol stations would soon run dry caused people to dash out with jerry cans to buy extra supplies, resulting in kilometre-long queues. People and businesses who urgently needed fuel couldn’t get it. A manufactured scare story led directly to the imposition of real limits on purchases, and even then some people had to drive 50km to get their quota.

Another story claimed that the banks would have problems dispensing cash. Everybody immediately went to the ATMs and bank branches to withdraw their savings, and the banks had to limit how much people could withdraw. Similar stories created panics about a lack of food and a grain shortage, which led to people bulk-buying enough food for six months.

More directly, Russian hackers began to target opponents of the Ukraine invasion and the countries that received refugees or helped Ukraine with military aid. The levels of cyber security used are Alfa-CRP, Bravo-CRP, Charlie-CRP and Delta-CRP. Ever since the invasion, Poland has remained on the third level, Charlie, because of the threat of targeted attacks on critical infrastructure.

Phishing attacks also increased and were used for political purposes. Hackers got into Facebook and LinkedIn accounts to attack individuals. In response, there was an upsurge in work by anonymous vigilantes who began fighting against the Russian hackers. These revealed numerous data leaks and, sometimes, the personal information of Russian soldiers.

All this has huge implications for business continuity. We need to ask not only whether we have business continuity plans in place, but also are these updated constantly to meet new and emerging threats? Are they tested?

 

Lesson 3: Pressure = incentives

The problems are also interrelated. For example, inflation in Poland is currently 17.2 per cent – the highest in 26 years – and it is still rising. Before the pandemic it was between two per cent and four per cent. Interest rates are expected to reach seven per cent or higher this year. This has a negative impact on salaries and people become more vulnerable.

Companies therefore must work with, and prepare, their employees. As people become more anxious about money, there will be increased attempts to exploit employees to gain access to your company directly, even without technology. Hackers won’t need to break into your systems if they can pay an employee to reveal passwords.

It’s essential to put the right training in place and ensure that it is properly executed. Phishing simulations are key to this, but they must be done continuously – keep testing everybody, even those in your cyber and IT teams.

Governance, risk and compliance (GRC) teams need to assess their operations in Russia and Ukraine and, importantly, ensure that they are aware of all their direct and indirect links to these regions. For example, are they sourcing employees in these countries?

Look also at your vendors – are they using tools that operate constantly for monitoring and are these secure?

 

Lesson 4: Global events matter locally

It’s vital that you are aware of all data breaches and cyber security incidents as they unfold. Internal audit should also check the business complies with the latest economic sanctions and legislation, as these are subject to rapid change in response to political developments.

At the top level, all internal audit teams should take the opportunity to look again at their business’s risk profile and ask whether it has changed because of recent events. Consider your risk appetite – has this also changed and what mitigating actions do you need to put in place?

Last but not least, we need to repeat to management and the audit committee that there are no borders to cybercrime. We must all be prepared because the cyber risks and their drivers change and increase constantly. We need strong preventative controls and we must test our ability to respond repeatedly.

Cybercrime does not stop. The criminals are always looking for access, whether this is for financial gain or other purposes. As circumstances put more people under financial stress, incentives change and businesses need to reinforce employees’ security awareness and ramp up their testing regimes: Do people know the password rules? Do they use two-factor authentication? What is your security status now, and where do you want it to be? How will you get there? Do you have cyber insurance in place? Should you have it? All this is also true for your vendors.

This is not a local issue. We need to think about what it means globally as well as in our own region. If we start with our own organisations, we can put in place defences to ensure we’re not next on the hackers’ lists. And be prepared for when (not if) a hack succeeds by asking whether your external affairs team has prepared a resilience statement, and how you intend to mitigate reputational risk and protect and reassure customers. 

Magdalena Skorupa is IT&D Sr. director, platforms & architecture, data & analytics at Reckitt. This article is based on a talk she recently gave to the Chartered IIA’s Heads of Internal Audit forum.


This article was published in November 2022.