Today, organisations are rightly working to ensure their internal networks, data assets and customer - and client-facing websites are well protected and that business continuity and response plans are in place in the event of a cyber attack. The cost of cyber breaches can be ruinous, not only as businesses temporarily go oine, but the long-term reputational impact that comes with the loss of customers' and the public's trust.
By now all organisations should, at the very least, be certied under the UK government's Cyber Essentials scheme, which encompasses ve key technical controls:
– Boundary rewalls and internet gateways
– Secure conguration
– Access control
– Malware protection
– Patch management
“Today’s measures may not be enough to defend against tomorrow’s risks”
To achieve the basic-level certication organisations must self-assess their systems and this must then be independently veried. The second level of certication, Cyber Essentials Plus, goes a step further by requiring that systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.
However, the mitigation of cyber security risk means more than simply updating rewalls and malware protections. While critical, such measures alone fail to account for the scope of future risks associated with cyber and technology vulnerabilities. Organisations, through strong governance, risk management and third-line assurance, must work hard to stay on top of this pervasive and rapidly evolving threat. Today’s measures may not be enough to defend against tomorrow’s cyber risks; therefore, organisations must be as forward-looking as possible on the cyber front.
Dedicated cyber resource
All organisations of scale should have established, or be in the process of establishing, a dedicated cyber security function. Whether a sub-team of the existing IT function or a dedicated resource that reports directly to the chief security ocer (CSO), companies must be installing a true end-to-end cyber security eort. This resource may be responsible for routine cyber hygiene such as patch management, rewall and malware protection updates, password management, data encryption, penetration testing and so on, but should also have a holistic perspective and review business processes and network system design - and what vulnerabilities these may present.
The organisation must understand how well designed and managed its defences and system processes are and accountability for this should lie with a dedicated resource. From an internal audit perspective, heads of internal audit (HIAs) should be working to understand whether the organisation is appropriately resourced in this regard.
infected computers in 150 countries
Emerging technology versus organisational strategy
More than that, however, there should be communication between senior management and this resource to ensure there is a clear understanding about the future strategy of the organisation, the extent to which that strategy will depend on technologies and, consequently, what potential vulnerabilities such technologies present.
The UK’s National Cyber Security Centre, a division of the Government Communications Headquarters, has signalled that future attention will need to be paid to the increasing prevalence of automation and the Internet of Things (IoT), a term used to describe the interconnectivity of smart devices.
The rise of IoT means the number of exploitable vulnerabilities is escalating. The burgeoning 'fourth industrial revolution' will increasingly see manufacturers and other companies incorporate internet connectivity into their production methods and service delivery to gain eciencies, increasing the potential for competitors or rogue actors to disrupt production lines and steal sensitive data.
The NHS was one of the more notable victims of the WannaCry attack in May 2017 that exploited a Windows 7 security hole to infect more than 230,000 computers in over 150 countries. Hackers brought down networks and held data hostage, endangering the lives of patients. Further, in August America’s Homeland Security and The Food and Drug Administration recalled nearly half a million smart pacemakers manufactured by Abbott after identifying a security aw that had to be closed with a rmware update.
Similarly, businesses continue to exploit the potential of automation. Already nancial reporting and analytics, online marketing and even anaesthesiology can be carried out by robots, improving prot margins. This trend, however, creates scope for unmanned processes to be hijacked by malicious outsiders.
There is therefore a genuine emerging threat of critical smart devices and automated processes, whether life-saving medical apparatus or self-driving cars, being hacked and putting lives at risk.
HIAs should broach this with the audit committees and consider planning engagements to review the validity and robustness of management thinking around the future strategy of the organisation, what technologies will be required to enable that strategy and what relevant assurances will be
It is not only organisations’ future use of emerging technical applications that should be considered, but the computing capabilities that may come to underpin such applications. While the development of quantum computing is still in its infancy, some estimate that this next generation of computers could be market-ready within the next ten years. Quantum processors have the potential to process quantities of data on a scale that was not previously possible. It is therefore feasible that the next generation of computers will require a new standard of cryptography to keep internet communications and data assets secure.
Having a cyber resource within the organisation that is familiar with quantum processing may seem like a fanciful idea today. But the pace of innovation is such that we are likely approaching a new era that presents unforeseen security challenges. It is therefore a must that organisations stay abreast of technological developments and their implications for cyber security.
Internal audit has role to play in evaluating to what extent the cyber function is staying on top of such developments and management/the CSO is factoring into strategic and risk considerations future technological advances that, while currently not a reality, may soon require a radical overhaul to security measures and system design. We would not expect preparedness for leaps in computing power to feature in next year's audit plan. However, the audit committee and heads of internal audit may seek to gain an assurance that the rst line of defence is thinking suciently about future strategic technological threats.
“Today’s measures may not be enough to defend against tomorrow’s risks”
Critical infrastructure test
State-sponsored attacks are already here and are due to increase, which has serious implications for operators of critical infrastructure. Knocking out the electrical grid may seem like a dystopian fantasy, but in 2015 a Ukrainian power station was taken oine in a cyberattack that temporarily left a quarter of a million people without electricity.
Legislators are already aware of the cyber security implications for critical infrastructure providers; the EU’s directive on security of network and information systems (NIS directive), which will be transposed into national law on 9 May 2018, for example, encompasses measures and requirements that apply to 'providers of essential services' such as energy, transport, water, health and digital infrastructure.
Consequently, it is not only internal failings and breaches that expose organisations to cyber risk. While essential service providers themselves should be concentrating their eorts to fend o attacks, organisations that rely on such services should have contingency measures in place should such critical infrastructure be taken oine.
For this reason, HIAs should be thinking about cyber security beyond the perimeters of the organisation itself and reviewing whether business continuity plans consider major outages at services providers as fundamental as the National Grid, as well as other key suppliers and network hosting services.
It is imperative that boards and internal audit future-proof their thinking around cyber security. Those organisations that dedicate resources to this threat, understand how technology will enable their strategy and vision, and stay on top of the scope of the threat and methods of attack will be more resilient than their peers.