Heightened cyber risk – update for Heads of Internal Audit

Cyber has been high on the agenda of Audit Committees for a long time and cyber risk has been voted the number one risk for the last four years in the Institute of Internal Auditors (IIA) annual risk survey. The consequences of a cyber-attack for organisations could be highly significant in terms of rendering them unable to conduct their operations, reputational damage, theft or destruction of valuable or sensitive data as well as the cost of potentially paying the ransom or fines by data regulators.

 

The immediate threat has increased

In January 2022, the UK National Cyber Security Centre (NCSC) urged organisations to “bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine” and published updated guidance. Specific reference was made to the destructive wiper malware which is being deployed against organisations in Ukraine and highlighting the risk that further attacks are likely to continue and may inadvertently spill over into organisations in other countries. This was followed by a report in February 2022 from the Joint Cyber Security Advisory highlighting the growing threat of ransomware attacks. There is also growing pressure on cyber insurance arrangements with "war exclusion" and "hostile act exclusion" contract language under scrutiny. This could impact claims, premiums and the ability of organisations to obtain cover. The NCSC guidance sets out the following areas of focus.

Required action for business

Patching is an essential protection and needs to be kept up to date. Where attackers are looking to exploit a known security vulnerability they move very fast and it is those organisations that have ineffective patching programmes that are caught out. Patching needs to be comprehensive and include user desktops, laptops and mobile devices, including third party software such as browsers and office productivity suites, firmware, internet-facing services and key business systems. In particular, the organisation needs to fully understand its Internet-facing footprint (e.g. IP addresses, domain registration data) and ensure records of this are up to date. Vulnerability scans/ penetration testing of the whole internet footprint need to be performed regularly to ensure that everything that needs to be patched has been covered. At times of heightened risk, patching timeframes should be brought forward.

Access controls need to be checked carefully. Passwords need to be strong and unique to business systems and not shared across non-business systems. Old user accounts need to be reviewed regularly and removed. Extra focus should be applied to privileged or administrator access rights. Where possible multi-factor authentication (MFA) should be used and checked to confirm it is configured correctly. Third party access needs to be checked thoroughly, controlled and unnecessary access removed.

Anti-virus and firewalls are important defences. Antivirus software needs to be installed, active on all systems and the signatures updated correctly. Firewall rules need to be operating as expected. Temporary rules are a particular weakness that need to be reviewed to ensure that none have been left in place beyond their expected lifetime. Devices include smartphones, tablets, laptops and desktops. The most appropriate and up to date security configuration needs to be implemented for these. Logging also needs to be reviewed, with the NCSC recommending that logs are retained for at least one month and anti-virus and key logs monitored carefully. Intrusion Detection (IDS) and Intrusion Preventions (IPS) systems should be up to date, and used to examine, monitor and analyse the events entering and taking place in the network - detecting potential threats (e.g. malicious or unusual network traffic, port scanning, malware) and security policy violations. Not every network has the size and profile to justify a Security Information Event Management (SIEM) system, but this technology enables use of IDS and IPS data, while also incorporating log information from other sources to build a better overall view of the security landscape and facilitate actions.

Access to its backups is vital for an organisation to be able to recover its systems. Backup routines must be running correctly and any backup failures addressed. The ability to restore from backups should be regularly tested. Multiple backup copies - including a recent offline copy - must be retained. This must include machine state and critical external credentials such as private keys and access tokens.

The heightened risk needs to be communicated to staff. Mandatory training in cyber security needs to be provided regularly and reintroduced if it has not been undertaken recently. Unless reminded, individuals can forget the level of threat to the organisation, the importance of staying alert and reporting phishing emails or other suspected attempts at intrusion promptly.

Organisations should assume that their systems will be affected by a cyber attack at some point. the capability of the IT team needs to be reviewed to confirm that the necessary skills are available. In the event of a cyber incident, judgement and decisions will be needed, and solutions will have to be found. Incident response plans need to be checked and tested so that the organisation can deal with an incident effectively. Playbooks should be established detailing the response to a specific incident type including in particular: malware/ ransomware infection, phishing email, or data breach.  A test of the response plans should be performed as a priority if these scenarios have not been checked recently.

Most importantly these plans need to consider the technical aspects of responding to an incident. The technical response can be broken down into distinct stages:

  • Triage - understanding the type of the incident (e.g. malicious code, Distributed Denial of Service, phishing, unauthorised access, insider action, data breach, targeted attack) and its severity (determined by whether data availability has been affected, sensitive data accessed, leaked or stolen, or data and systems have been altered so that they cannot be trusted)
  • Analysis - capturing and analysing data and information to understand the attack
  • Containment/mitigation - immediate actions to stop, contain or mitigate the attack impacts and limit the spread of the problems
  • Remediation/eradication - fully removing the attacker or threat from the network and confirming successful remediation
  • Recovery - putting clean systems back on-line, recovering data if needed and removing any temporary mitigation measures if needed before resuming business as usual.


So that these stages can be completed successfully organisations must ensure that they have maintained sufficient records about their IT infrastructure and can access the information and tools (including specialist software) that they will need to resolve the issue.  These include detailed network diagrams, logs and other data sources, IT assets and configurations, together with analytics, remediation, recovery tools.  

The incident response team also needs to be thought through carefully so that individuals with the right skills and authority to take decisions are available at very short notice, including third party dependencies and on-call arrangements with specialist suppliers where they form part of the team.  In particular, the team will need to include representation from legal, data protection compliance, risk management, communications, Board and operational management as well as IT expertise.

What this means for Heads of Internal Audit

Since the NCSC’s call to all organisations to bolster their cyber defences, Heads of Internal Audit should be looking at their audit plans once again to determine whether the assurance scheduled will be sufficient to meet the needs of the Audit Committee and the organisation during the current period of heightened risk.

Although cyber may have been subject to an audit previously, now is the time to double down on the key controls and to make sure that the organisation has taken the necessary steps to secure its network and can respond to an incident rapidly. Precise questions need to be answered in the light of the NCSC guidance. Critical information assets (“crown jewels”) need to be well protected with defensive and monitoring controls strengthened as far as possible and backups retained that cannot be rendered unusable by an attack. Incident response plans must be able to be activated rapidly with immediate availability of key individuals (including third party specialists) access to detailed information about the network and the tools necessary to respond.

Heads of Internal Audit may also wish to invest further in developing their own skills and understanding of the impact on the organisation of this important area so that they can credibility engage with colleagues in IT security and better explain the issues to the Audit Committee. Technical expertise on cyber is often sought from a co-source partner. Where this is the case, the internal audit team should look to work more closely with the partner team to build skills and maximise opportunities for knowledge sharing. Cyber is likely to be a key area for assurance for the foreseeable future.