Heads of Internal Audit Virtual Forum

18 May 2022

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA

Chair's opening comments

We have Magdalena Skorupa with us today, having joined a session with us last year to talk about Cyber. Magdalena works for Reckitt Benckiser, based in Warsaw, Poland and therefore particularly impacted by the situation in Ukraine just now.

I spoke to Magdalena about a month ago to get an update from her about what’s important in her world and of course there is a lot going on there, particularly in the cyber world which is obviously very relevant to share today. I’ll hand over to Magdalena now to give her plenty of time to share her thoughts and share her view of the world today.   


Key takeaways

Slides attached from the session. Notes below are supplementary.

Magdalena Skorupa, Cyber Director, IT Risk, Data Privacy, Validation and Compliance, Reckitt Benckiser:

  • I would like to talk to you today about cyber security risk profile – how I see it and the risk impacts, together with the role of the Risk/GRC and internal audit teams.
  • I have over 20 years of experience, which is a mix of IT, cyber, internal audit and consulting. I’ve been at Reckitt Benckiser for four years.
  • In terms of the situation we currently find ourselves in – as we all know on 24 February 2022, the Russian invasion of Ukraine began. Whilst it had been on the cards since 2014, we couldn’t believe the extent of what we were seeing.
  • The map of Ukraine shows the neighbouring countries where refugees started arriving. The majority of the Ukrainian refugees started coming to Poland. Some 3.5million of the total 6million refugees are recorded in Poland, although these are ‘officially registered’ refugees – there are likely more who have come to stay with family already living and working in Poland.
  • The largest proportion of the influx came in the space of the first 2-3 weeks and the majority have settled in the largest cities: Warsaw, Gdansk and Krakow and not in the countryside. The fact they stay in these cities also becomes a problem.
  • This follows Covid-19 and living in a pandemic state. In Poland, COVID all but disappeared on 24 February 2022 when the invasion started.
  • COVID had a significant impact on how we were operating as a company. We had to completely switch our Modus Operandum – everyone had to work from home, people were forced to isolate if they tested positive and all of sudden, from one day to the next, the company had to work out how to balance their resources, how would they stay secure, do employees know what to do, how to behave?
  • For Reckitt, we had the cloud roadmap prepared, but we had to expedite the activities to the highest priority level to ensure that our people and our data were safe.
  • There are lots of challenges for and in hosting refugees. The refugee crisis is impacting socially in terms of accommodation, on the workforce (mums need to take care of the children so not many new entrants to the workforce), on food and supplies, more widely on education (particularly as the refugees may not stay in Poland long term) and accessing medical treatment.
  • Russian disinformation is something which changes from one day to the next. It started on 24 February and I have a couple of examples of the impact of this sort of disinformation:
    • There was some information put out that petrol stations would run out of fuel. Everyone was dashing to the petrol station with their jerry cans to get excess fuel. The result was kilometres of queues and those that were in need couldn’t get fuel. Limits, such as half a tank, were put on purchases, with people sometimes having to drive 50km to get fuel.
    • Another story was that the banks were going to have problems dispensing cash. Everybody immediately went to the ATMs and bank branches to withdraw their savings in cash. Banks had to put limits on how much they could withdraw.
    • There were also stories to create panic around a lack of food/grains, which led to people bulk buying in the supermarkets, to the extent they looked as though they had food for six months.
  • Russian hackers deliberately started targeting opponents of the Ukraine invasion and the countries receiving refugees or helping Ukraine in a military sense.
  • The levels of cyber security used are ALFA/Bravo/Charlie/Delta-CRP. Since the invasion, Poland is still on the third level, Charlie, because of the critical infrastructure, the banks etc. can be targeted.
  • Phishing attacks started. They started to successfully hack Facebook accounts, LinkedIn accounts – people became victims of these attacks.
  • Anonymous vigilantes – fighting against the Russian hackers. People were volunteering to become hackers even if they’d never done it before. They revealed numerous data leaks, personal information of Russian soldiers.
  • Business continuity – do we have business continuity plans in place? Are they updated? Are they tested?
  • Cyber war has no borders – it is not just about an invasion of Ukraine by Russia.
  • The economic situation currently in Poland; inflation is currently at 12.3% and growing. Before the pandemic it was between 2% and 4%. Interest rates have increased consecutively each month for the last 8 months, starting at 0.1% in September 2021 to 5.25% now and is expected to reach 7% or higher.
  • The negative impact on your salary is around 10-15% comparing January 2022 to January 2021. People will become more vulnerable as a result of economic difficulty.
  • You must prepare your employees, as people will be more desperate for extra pay. It is likely that people will try and exploit employees for access to your company directly, even without technology. They won’t need to break into your systems – they can approach an employee and ask them for passwords in exchange for money.
  • Training must be in place and properly executed. Phishing simulations are key but they must be done continuously, to keep testing people. Even those in your cyber and IT teams – they might fail so they also need to be tested regularly.
  • GRC teams need to assess operations in Russia and Ukraine and importantly all the direct and indirect links there. Are they sourcing employees in these countries?
  • You need to look at vendors – using tools that are 24/7 for monitoring and assessed whether they are secure.
  • You need to be aware of data breaches and cyber security incidents as they unfold.
  • Internal audit should ensure compliance with the latest economic sanctions and legislation as these are subject to regular change.
  • What is your risk profile, has it changed drastically recently? What is your risk appetite? Has this changed? What mitigating actions do we need to put in place?

There are no borders to cybercrime. Are you prepared?

We are facing the most significant cyber risk profile ever. Our preventative controls need to be strong and our ability to respond must be tested.

Cyber criminals do not sleep or stop. They’re always looking for financial gains or access dependent on their motives. As life becomes more financially difficulty – it’s important to put effort into security awareness and test employees all the time. Do your people know the password rules? Do they use two-factor authentication? What is your security posture currently and where do you want it to be? How will you get there? You need to do the same for your vendors. Do we have cyber insurance in place? Should we?

 

Institute's comments

Thank you. Magdalena’s presentation has really reinforced that we need to be going back to our organisations and ask some detailed and comprehensive questions. Please have a look at our cyber ‘Mind the Gap’ report, which has some questions in there you could ask your organisations. Find out how your organisation has drilled down to who your suppliers and customers are. Are you asking the right questions of your customers and suppliers? Do they have a cyber security policy in place? Is it on their radar? If it is a small organisation, can you help them with this.

One of the things Magdalena’s highlighted that really stood out for me is that we need to think about what this is doing globally as well as within our own world and focus heavily on our own organisation to ensure we’re not next on the list to be hacked.

From what Magdalena is telling us, I think it’s a case of when, not if. So, there is a need to be ready for when that when happens. Even things such as asking your external affairs team to prepare a resilience statement which the organisation can send out if it’s hacked, this demonstrates that you’re mitigating reputational risk, you’re looking ahead, that you’ve thought about your customers and are doing your very best in challenging circumstances. 


Chair's closing comments

Thank you, Magdalena. When I invited Magdalena, I wanted her to share her thoughts and feelings and I think she’s done that today. We are next door to Ukraine in the cyber world, there’s no doubt about that.

We’re all in the same situation, although we haven’t quite got the profound effect that Magdalena is experiencing in terms of the physical transfer of people but we are on the ‘hit-list’ of cyber targets and we do have an environment of high inflation, which is similar, albeit probably a few months behind Poland.

We are aware of three organisations, across the education, charity and retail sectors who have been recently subjected to hacking attacks. None of these organisations would have thought themselves key priorities for a hacker, but all have lost significant amounts of customer data and are unsure where they go now. For at least two of the organisations, they had tested the controls, but they hadn’t tested in depth. They hadn’t really checked the front line – the people who have the email addresses, the people who speak to the customers, and share information on a day-to-day basis. So this comes back to Magdalena’s point – check with the staff.

We hope to be able to welcome Magdalena back to a future session. 

As usual, notes, chat comments will be placed on our web pages in the next 24 hours.

Our next session on 8 June is on Organisational and Strategic Resilience and we hope to see you then.

We have a number of events scheduled for the coming months, including our Leaders Summit and our Internal Audit Conference. Please visit our Events section for further details.