Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

27 July 2022

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Institute's welcome

Good afternoon, everybody. I am John Wood, CEO at the Chartered IIA UK and Ireland.

The topic for today is ‘Cyber Response Plans’. 

Cyber security is without a doubt the perennial risk of the 21st century, and it has been particularly exacerbated by the coronavirus pandemic and now by the war in Ukraine. Businesses have had to juggle competing priorities and operational disruption whilst ensuring that working devices and networks are secure. At the same time, criminals have sought to capitalise on these crises by exploiting remote working protocols through increasing the pace and sophistication of cyber-attacks.

Whether your organisation is 10 people or 10,000, putting guidance in place on how to handle incidents will help you make good decisions under the pressure of a real incident. Taking the time to create a plan will help you identify gaps in your incident handling capabilities.

Time is of the essence when it comes to minimizing the consequences of a cyber incident and you want to do everything in your power to save your data. If a company does not have an incident response plan, the entire process of dealing with a cyber-attack can become an even more chaotic and daunting experience that could last indefinitely.

I am joined today by:  

  • Piyush Fatania, Chair for today and a member of the Institute’s Council
  • Liz Sandwith, Chief Professional Practices Adviser for the Chartered IIA UK and Ireland

Chair's opening comments

Thank you and good afternoon everyone. We talk about cyber security all the time and we all know how important a risk it is – it’s right up there for all our councils. But we wonder if our council will be the subject of a cyber-attack. The thing is, and I’m sure most of us know this, that our councils are subject to dozens of cyber-attacks every single day. It is the voracity of our IT defences and the vigilances of our staff and IT departments that repels them. As the saying goes, ‘the bad guys only need to be lucky once, and the good guys have to be lucky every single second of every day.’

Recent years have seen a significant rise in cyber security related incidents affecting the public sector including attacks targeting health services, local government and even water supplies. Not only are these incidents becoming more frequent, but they are also becoming more sophisticated. The image you may have of a lone attacker – some guy sitting in his granny’s attic with a laptop is an image that needs to be replaced with an image of a highly organised, knowledgeable, and slick crime organisation, who have access to considerable resources. It is not unknown for nation states to use cyber-attacks as a weapon of war. As a response to this, it is vital that councils ensure that they have the knowledge, means and support to effectively defend themselves against determined adversaries and relentless cyber-attacks.

A cyber incident response recovery framework should cover the processes involved in the detection, containment, and recovery from a cyber security incident. A comprehensive framework that includes policies, procedures, and technical capabilities, will guide and streamline the council’s response and recovery processes. Maintaining these policies and procedures against a range of scenarios can prove to be vitally important in coordinating a council-wide response promptly and appropriately to a cyber security incident and can ensure the continued delivery of essential services whilst the council works its way to full recovery. 

To talk to us today, we have Phil Byrne – Senior Audit Manager, GIAA Digital Data and Technology and Pete Williams Deputy Director, Internal Audit Specialisms also at GIAA. Phil has responsibility for planning and managing a broad range of IT audits across a range of central Government departments including Ministry of Justice and the Department for Education. Pete’s role is to provide strategic and operational leadership to the GIAA IA Team. I’ll now invite them to take the floor.

Key takeaways

Slides from the session are attached here. Notes below are supplementary. 

Pete Williams - Deputy Director, Internal Audit Specialisms at GIAA and Phil Byrne – Senior Audit Manager, GIAA Digital Data and Technology

  • Work across government cuts to the heart of why GIAA was established to generate a birds-eye view and share insight across government, especially in areas of pervasive risk, of which cyber security is a prime example.
  • Key to our role is ensuring cyber security receives sufficient attention at the right levels within our organisation.
  • You don’t have to spend long on the internet to find headlines relating to cyber incidents. It’s worrying to see cyber security relegated to an afterthought, as though it’s solely a concern for the IT department. If the consequences of a breach are organisation-wide – so must be the shared responsibility for cyber security.
  • Some research published yesterday from the US stated that while 99% of security leads agreed that a strong security culture is important, 30% of employees don’t think they play a role in maintaining their company’s cyber security posture.
  • If there is a cultural disconnect between the awareness of CISOs and senior leaders, and more of a laissez-faire approach adopted elsewhere, then we as internal audit need to be at the forefront of challenging this.
  • Cyber security to many can be a bit of a mystery, there are misconceptions about how to approach cyber security and incident response planning. Perfection is not feasible when it comes to cyber security.
  • Data is the lifeblood of what central government and local government do – this data is what will drive your core business processes and core business activities.
  • Disruption or loss of date can have a sustained effect on your ability to execute your services, e.g. for DWP and the disruption of benefits. We are talking about taking food out of people’s mouths.
  • 40% of cyber-attacks in 2021 affected the public sector. We are in the crosshairs of cyber attackers.
  • Ransomware is a bigger target. It takes on many forms and is becoming big business, attacking many sectors. Ransomware is not necessarily a highly technical type of cyber-attack. There is an accepted principle now of purchasing ransomware as a service, in the same way that we may purchase software in this way. Ransomware as a service is now freely available, on a subscription basis, franchise basis or a chance of success basis. These attacks are live, frequent – we need to be alive to those threats.
  • Phishing is our weakest link as it involves people. Phishing can be as simple as clicking on an email link, downloading software from the internet, could be enough to take down your system.
  • A high proportion of our audit activity in the cyber risk and security space receives lower assurance opinions, which is not a comfortable position to be in when talking about significant government organisations.
  • There is a lot of support out there to help us manage cyber security the NCSC has 10 steps.
  • Can we afford downtime? Risk of disruption and service delivery means we need a lens on the productivity side and how the business will be impacted if an incident is identified.
  • Difficult to build a reputation but easy to lose it, so need to have this in mind when putting our incident plans together.
  • Response plans should be living documents. These should be revisited frequently to ensure they stay relevant, reflect core business activity and strategic direction.
  • The challenge for us is what we can do with the resources available to us. We could make an industry out of managing cyber risk and creating an incident response pan because of the depth and breadth of the subject. Cyber risk is not just a technology risk. When cyber risk materialises, it will be in one of your operational areas.
  • Cyber incident response plans should be in your audit plan in some capacity. We need to be ready for any incident and need to have a plan in place, which is well rehearsed, well planned, regularly revisited and refreshed, so that we are ready when the worst happens.
  • Internal audit needs to think about how the cyber incident response plan links with other existing plans – e.g. Business Continuity and Disaster Recovery plans. If these are out of sync with one another, our response won’t be coordinated and may fail to recover what’s needed.
  • The cyber supply chain could include cloud hosting or data storage arrangements and so a cyber incident could be in the supply chain.
  • Testing the incident plan – have we tested the plan? Does it work? Or did we do theoretical, desk-based testing and not really taken down systems and services to test the response? How do we know our plans are going to work and are we comfortable with the level of testing conducted?
  • Governance arrangements – are these arrangements robust enough with sufficient communication and reporting lines? This needs to be revisited frequently. Are plans refreshed in line with any restructuring which may have occurred?
  • Need to dedicate time to consider policy stance in relation to ransomware and external comms – how much do we want to publicise? Will we be prepared to pay a ransom demand and does our policy reflect that?

Chair's closing comments

Really interesting, thank you Pete and Phil. Ultimately, you could spend all your council’s budget and you still wouldn’t be secure on your IT. I can remember sitting in an audit committee and members were wanting to know how they could never succumb to cyber – you can’t and getting that across to members and the public is part of the challenge.

If the policy stance on ransomware was to refuse to pay, it would be interesting how long that position would last if you’re taking food out of people’s mouths and not delivering essential services, the longer that goes on, the more jittery the members and politicians are going to get.

I’m glad you talked about IT skills and how for cyber security, some elements you need IT skills and the recovery will also involve some IT skills. I think as internal auditors, if we look at a recovery plan as non-IT specialists and can’t understand it, what about the rest of the council (as they are non-IT specialists)? It is a good challenge, how clear is that plan?

The focus should be on scenario planning – how can we sustain a service without use of IT at all? Having back up manual processes so that you can still provide essential services – the IT could take some time to get back up and running and you still need to provide essential services. How will you do these? How will you prioritise? How will you focus resources? What governance and authorisation etc., do we need around that?

Those were just some of my thoughts, but it is a fascinating subject, so thank you to Pete and Phil.  

Institute's closing comments

Thank you all.

As usual, notes, chat comments and the slides shared today will be placed on our web pages in the next day or two.

Our programme of forums and topics for the second half of 2022 have now been uploaded to the website. We will shortly send out a meeting invitation so you can ensure the Forums are in your diary.

Following today’s session there may be value in reading our report Mind the Gap: Cyber security risk in the new normal which is available to all on our Policy and Research page on the website. It may be useful to download the recently produced GTAG from IIA Global on Auditing Cyber Incidence Response and Recovery.

Our topic for the August session on 24th August 2022 is Modern Slavery.

Thank you everyone, see you in August.

Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith.

Q&A and chatbox comments

Q: What is good practice in testing cyber response plans?

A: Good practice is taking the testing as far as you can. Some organisations we’ve worked with will not run a live test in terms of taking down their systems and services to test their response capability for fear of not being able to bring them back online. In terms of good practice – take your testing as far as you can without disrupting business activity, which will be different for each organisation, due to their appetite as no one wants a system outage they can’t recover from. Rehearse your plan as much as you can, as often as can so you are ready. Test under different scenarios – when key staff are on annual leave for example, so this is done under worst case scenario, even if it makes for uncomfortable reading.

Q: I was just curious as to your thoughts on how robust are the PSN accreditations around cyber security as a source of assurance?

A: I would say they are robust as source of assurance, but I wouldn’t necessarily rely on this as the only source of assurance. I would take that accreditation as part of a broader suite of accreditation so for example get assurance from penetration testing and vulnerabilities management so whilst I would use this as part of a suite of assurance - I wouldn’t rely on this as the only source.

Q: What are your thoughts about whether internal audit is sufficiently equipped to provide assurance or highlight concerns across all these areas? 

A: We aren’t deep technologists, as much as we are a DDaT team, we are still rooted in governance, risk and control, so these are the terms in which we look at cyber response plans, cyber risk and cyber security. We are internal auditors equipped to ask the right questions, e.g., can you describe your governance framework? Have you tested your plan? There are standards out there we can align against to help us do that, we don’t need to be deeply technical to audit this type of activity. We need to look at this activity through the governance, risk and control angle. Ask the fundamental questions without the technology angle, it’s not out of reach to ask probing, yet valuable questions in terms of how our organisations manage their cyber security risk and it’s within our capability to do that.  

Q: Is this something within the capability of a general auditor, or are there any specific areas which would benefit from getting in a technical specialist to periodically supplement this assurance work?

A: There is value in that because we aren’t deep technologists but there is a need to test our vulnerabilities, e.g. through penetration testing, which is one angle of attack. We have orchestrated external phishing tests to test ourselves as an organisation to test our own awareness to identify potential cyber security incidents. Internal audit is involved in the design of that test to make this realistic. There are many ways we can help, e.g. to help look for vulnerabilities on our systems and services, do discovery exercises to make sure our systems are patched appropriately. Occasionally we do need third party support to do that – e.g. user awareness side of things to ensure sufficient user awareness to detect and prevent cyber incidents or indeed near misses just as much as an actual incident so we can learn lessons from that.