Institute's welcomeGood afternoon, everybody. I am John Wood, CEO at the Chartered IIA UK and Ireland. The topic for today is ‘Cyber Response Plans’. Cyber security is without a doubt the perennial risk of the 21st century, and it has been particularly exacerbated by the coronavirus pandemic and now by the war in Ukraine. Businesses have had to juggle competing priorities and operational disruption whilst ensuring that working devices and networks are secure. At the same time, criminals have sought to capitalise on these crises by exploiting remote working protocols through increasing the pace and sophistication of cyber-attacks. Whether your organisation is 10 people or 10,000, putting guidance in place on how to handle incidents will help you make good decisions under the pressure of a real incident. Taking the time to create a plan will help you identify gaps in your incident handling capabilities. Time is of the essence when it comes to minimizing the consequences of a cyber incident and you want to do everything in your power to save your data. If a company does not have an incident response plan, the entire process of dealing with a cyber-attack can become an even more chaotic and daunting experience that could last indefinitely. I am joined today by:
|
Chair's opening commentsThank you and good afternoon everyone. We talk about cyber security all the time and we all know how important a risk it is – it’s right up there for all our councils. But we wonder if our council will be the subject of a cyber-attack. The thing is, and I’m sure most of us know this, that our councils are subject to dozens of cyber-attacks every single day. It is the voracity of our IT defences and the vigilances of our staff and IT departments that repels them. As the saying goes, ‘the bad guys only need to be lucky once, and the good guys have to be lucky every single second of every day.’ Recent years have seen a significant rise in cyber security related incidents affecting the public sector including attacks targeting health services, local government and even water supplies. Not only are these incidents becoming more frequent, but they are also becoming more sophisticated. The image you may have of a lone attacker – some guy sitting in his granny’s attic with a laptop is an image that needs to be replaced with an image of a highly organised, knowledgeable, and slick crime organisation, who have access to considerable resources. It is not unknown for nation states to use cyber-attacks as a weapon of war. As a response to this, it is vital that councils ensure that they have the knowledge, means and support to effectively defend themselves against determined adversaries and relentless cyber-attacks. A cyber incident response recovery framework should cover the processes involved in the detection, containment, and recovery from a cyber security incident. A comprehensive framework that includes policies, procedures, and technical capabilities, will guide and streamline the council’s response and recovery processes. Maintaining these policies and procedures against a range of scenarios can prove to be vitally important in coordinating a council-wide response promptly and appropriately to a cyber security incident and can ensure the continued delivery of essential services whilst the council works its way to full recovery. To talk to us today, we have Phil Byrne – Senior Audit Manager, GIAA Digital Data and Technology and Pete Williams Deputy Director, Internal Audit Specialisms also at GIAA. Phil has responsibility for planning and managing a broad range of IT audits across a range of central Government departments including Ministry of Justice and the Department for Education. Pete’s role is to provide strategic and operational leadership to the GIAA IA Team. I’ll now invite them to take the floor. |
Slides from the session are attached here. Notes below are supplementary.
Pete Williams - Deputy Director, Internal Audit Specialisms at GIAA and Phil Byrne – Senior Audit Manager, GIAA Digital Data and Technology
Chair's closing commentsReally interesting, thank you Pete and Phil. Ultimately, you could spend all your council’s budget and you still wouldn’t be secure on your IT. I can remember sitting in an audit committee and members were wanting to know how they could never succumb to cyber – you can’t and getting that across to members and the public is part of the challenge. If the policy stance on ransomware was to refuse to pay, it would be interesting how long that position would last if you’re taking food out of people’s mouths and not delivering essential services, the longer that goes on, the more jittery the members and politicians are going to get. I’m glad you talked about IT skills and how for cyber security, some elements you need IT skills and the recovery will also involve some IT skills. I think as internal auditors, if we look at a recovery plan as non-IT specialists and can’t understand it, what about the rest of the council (as they are non-IT specialists)? It is a good challenge, how clear is that plan? The focus should be on scenario planning – how can we sustain a service without use of IT at all? Having back up manual processes so that you can still provide essential services – the IT could take some time to get back up and running and you still need to provide essential services. How will you do these? How will you prioritise? How will you focus resources? What governance and authorisation etc., do we need around that? Those were just some of my thoughts, but it is a fascinating subject, so thank you to Pete and Phil. |
Institute's closing commentsThank you all. As usual, notes, chat comments and the slides shared today will be placed on our web pages in the next day or two. Our programme of forums and topics for the second half of 2022 have now been uploaded to the website. We will shortly send out a meeting invitation so you can ensure the Forums are in your diary. Following today’s session there may be value in reading our report Mind the Gap: Cyber security risk in the new normal which is available to all on our Policy and Research page on the website. It may be useful to download the recently produced GTAG from IIA Global on Auditing Cyber Incidence Response and Recovery. Our topic for the August session on 24th August 2022 is Modern Slavery. Thank you everyone, see you in August. Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith. |
Q: What is good practice in testing cyber response plans?
A: Good practice is taking the testing as far as you can. Some organisations we’ve worked with will not run a live test in terms of taking down their systems and services to test their response capability for fear of not being able to bring them back online. In terms of good practice – take your testing as far as you can without disrupting business activity, which will be different for each organisation, due to their appetite as no one wants a system outage they can’t recover from. Rehearse your plan as much as you can, as often as can so you are ready. Test under different scenarios – when key staff are on annual leave for example, so this is done under worst case scenario, even if it makes for uncomfortable reading.
Q: I was just curious as to your thoughts on how robust are the PSN accreditations around cyber security as a source of assurance?
A: I would say they are robust as source of assurance, but I wouldn’t necessarily rely on this as the only source of assurance. I would take that accreditation as part of a broader suite of accreditation so for example get assurance from penetration testing and vulnerabilities management so whilst I would use this as part of a suite of assurance - I wouldn’t rely on this as the only source.
Q: What are your thoughts about whether internal audit is sufficiently equipped to provide assurance or highlight concerns across all these areas?
A: We aren’t deep technologists, as much as we are a DDaT team, we are still rooted in governance, risk and control, so these are the terms in which we look at cyber response plans, cyber risk and cyber security. We are internal auditors equipped to ask the right questions, e.g., can you describe your governance framework? Have you tested your plan? There are standards out there we can align against to help us do that, we don’t need to be deeply technical to audit this type of activity. We need to look at this activity through the governance, risk and control angle. Ask the fundamental questions without the technology angle, it’s not out of reach to ask probing, yet valuable questions in terms of how our organisations manage their cyber security risk and it’s within our capability to do that.
Q: Is this something within the capability of a general auditor, or are there any specific areas which would benefit from getting in a technical specialist to periodically supplement this assurance work?
A: There is value in that because we aren’t deep technologists but there is a need to test our vulnerabilities, e.g. through penetration testing, which is one angle of attack. We have orchestrated external phishing tests to test ourselves as an organisation to test our own awareness to identify potential cyber security incidents. Internal audit is involved in the design of that test to make this realistic. There are many ways we can help, e.g. to help look for vulnerabilities on our systems and services, do discovery exercises to make sure our systems are patched appropriately. Occasionally we do need third party support to do that – e.g. user awareness side of things to ensure sufficient user awareness to detect and prevent cyber incidents or indeed near misses just as much as an actual incident so we can learn lessons from that.