Cyber security has been recognised as one of our key risks for a number of years now and will feature once again when we publish our Risk in Focus 2021 report on 22 September 2020.
It was certainly one of the primary topics when we selected the priorities for the forum a few weeks ago. Potentially because many of you see it as a high inherent risk and, given the constantly and rapidly changing environment, a high residual risk as well.
It is also a subject which we sometimes find difficult to deliver sufficient assurance over. Occasionally due to availability of skills or resources to buy them in and sometimes due to the multitude of other priorities we have.
Today’s speaker is Noel Comerford, Senior Manager, Cyber Risk Services in Deloitte. Noel will provide, what I hope for many, is confirmation of your current approach to the subject and for some, a challenge to your current approach. The talk track supporting today’s session will be shared on our web page along with responses to the questions raised.
At the start of the Forum we ran a quick poll, the results of which are shared below.
The talk track slides supporting today’s session along with responses to the questions raised can be accessed below:
Our reflections from the session are noted below.
The key message coming out of this is that, as internal audit, we need to be very mindful of providing false assurance.
Tackling a topic that we are perhaps, not competent to tackle presents a risk to the organisation. Whilst not suggesting that we use competency as a wall to hide behind if we think a topic is too difficult for us, I do think that we have to be mindful of the ability to undertake a piece of work in this space, looking at it from risk and internal controls.
The speaker talked about governance structures and where cyber sit within your organisation.
The impact on the organisation of a cyber-attack can be catastrophic. We saw it with the NHS a few of years ago when they had an attack. Transfer that attack to now, or earlier this year when the NHS was tackling COVID-19, something like that would have been horrendous. We have a duty to be mindful of all of this across our organisations. No surprise, it is the number one risk in our Risk in Focus 2021 report.
As internal auditors, we have an obligation to our organisations to flag our concerns. There is also an obligation on us to be honest, if we don’t have the skill set in our team to undertake audit work in this space, then we flag it to the audit committee and obtain the necessary support. The biggest concern is false assurance.
Added post the meeting
Internal audit can offer its view on the extent to which any relaxing or adaptation of controls has increased the risk of data leakage or security breaches. The real question is - what has changed? That applies externally (eg a rise in phishing attempts) and internally (eg lack of staff cyber awareness training post crisis or security patching of homeworking devices not being managed as effectively as on-site). By understanding where the most disruption lies as well as where the highest-value data assets reside, internal audit can determine the impact of any change on the organisation’s information security risk and the control environment that is in place to mitigate it.
Staff awareness and understanding of information security risk is absolutely essential. This applies to protocols around the use, management and storing of confidential data to prevent data leakage, and applies to ensuring workers know how to spot cybercrime to avoid people succumbing to phishing and spear phishing (targeted at a specific individual) attempts which can result in costly malware and ransomware attacks and fraud by deception. Internal audit can and should check whether cybersecurity awareness is being sufficiently fostered and whether staff training has been updated in light of changes to the working environment and IT infrastructure. It should also attempt to provide assurance that staff are not circumventing processes to save time and effort.
Internal audit can also be a sounding board for information security teams that may be forced to adapt the IT control environment to keep the business operational and as efficient and productive as possible in the face of shock events. Any high-risk control changes will need to be reported to senior management to check that they are within the organisation’s cyber-risk appetite.
Finally, the survey you completed at the start of the session today identified that 90% of you believe that there is a gap between the desired and current cyber security culture in your organisation. As a headline, this is a very significant comment and certainly appears to suggest that there is still a lot that we can add in terms of guidance to our organisations.
Our next meeting will be on the 16 September and will focus on culture.
If you can have a look at the agenda and if there are any other topics you would like to include and/or if you would like to contribute; we are keen for Heads of Audit to present on each of the topics we are covering in these sessions, please contact me at firstname.lastname@example.org
A topic that I have been discussing today is Diversity and Inclusion, and whether internal audit should be providing assurance on this subject. It has a regulator focus now; I don’t know how many of you provide assurance around this and would be interested to hear from anyone interesting in talking about this in a future session. If you have any thoughts you would like to share, I would be interested in having a conversation with you to position this topic for the future.
Following the previous session on data analytics, we will be creating a discussion group; further information will be provided in due course.