Cyber risk: Top risk for 5th year for Internal Audit teams

Cyber risk has been high on the agenda of Audit Committees for a long time, and it has now been voted the No. 1 risk for the last five years in the CIIA annual Risk in Focus survey. The consequences of a cyber attack for organisations could be highly significant in terms of disruption to operations, inflicting reputational damage, theft or destruction of valuable or sensitive data, as well as the cost of fines by data regulators (and potentially ransoms paid to the hackers holding your data as hostage).

Weaponised cyber attacks

In 2022, the UK National Cyber Security Centre (NCSC) urged organisations to “bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine” and published updated guidance. Reference was made to the destructive wiper malware which is being deployed against organisations in Ukraine and highlighting the risk that further attacks are likely to continue and may inadvertently spill over into organisations in other countries.

Emerging technologies & regulation

In the latest Risk in Focus, CAEs state that digital disruption, new technology and artificial intelligence (AI) will be their 4th biggest risk by 2027. AI offers organisations many new opportunities, but it can add complexity and new risk exposures. There are instances of AI being used to aid cyber attacks. Combined with the broader “attack surfaces” created by cloud and mobile technologies, and increasing integration with business partners and suppliers, organisations will need to continue investing in their security capabilities.

New mandatory requirements are being set in EU legislation such as the Digital Operational Resilience Act (DORA), the NIS2 Directive, Data Act and Cyber Resilience Act.

Protect your organisation

The NCSC guidance highlights the following areas:

• Patching is an essential protection and needs to be kept up to date. If attackers are seeking to exploit a known security vulnerability they move fast, and organisations with ineffective patching programmes are most vulnerable.
• Understand your Internet-facing footprint. Vulnerability scans / penetration testing of your whole internet footprint need to be performed regularly to ensure that everything that needs to be patched has been covered.
• Access controls need to be checked carefully. Where possible, use multi-factor authentication (MFA) and confirm that it is configured correctly. Check any third party access thoroughly, and remove unnecessary access.
• Anti-virus software and firewalls are important defences. Antivirus should be active on all of your systems and updated correctly. Firewall rules must operate effectively.
• Access to backups is vital for your organisation to be able to recover its systems. Your backup routines must be running correctly, and any backup failures addressed. The ability to restore from backups should be regularly tested.
• Provide mandatory training in cyber security regularly. Unless reminded, individuals can forget the level of threat, the importance of staying alert and reporting phishing or other suspected attempts at intrusion promptly.
• Logs must be configured and monitored, leveraging Intrusion Detection (IDS), Intrusion Prevention (IPS) and Security Information Event Management (SIEM) systems to examine, monitor and analyse the events taking place in the network - detecting potential threats and security policy violations.
• Assume your systems will be affected by a cyber attack at some point. Check and test your incident response plans so that your organisation can deal with an incident effectively. Establish playbooks detailing your planned response to specific incident types.
• Your incident response team also needs to be thought through carefully so that individuals with the right skills and authority to take decisions are available at very short notice, including third party dependencies and on-call arrangements with specialist suppliers.

What should Internal Audit teams be thinking about?

Critical information assets (“crown jewels”) need to be well protected with defensive, monitoring and recovery controls strengthened as far as possible. Internal Audit teams should look at audit plans once again to determine whether the assurance scheduled will be sufficient to meet the needs of the Audit Committee and the organisation during this period of heightened risk, rapidly emerging technologies and new regulations.

Internal Audit may also wish to invest further in developing their own skills and understanding of this important risk area so that they can engage across the lines of defence, including with their colleagues in risk and IT security, and better explain the issues to the Audit Committee. Technical expertise on cyber is often sought from a co-source partner. Where this is the case, the internal audit team should look to work more closely with the partner team to build skills and maximise opportunities for knowledge sharing.

For further information, please contact Brad Duffell-Canham.