Auditing cyber security culture
This guidance provides internal auditors with a good understanding of what a robust cyber risk culture looks like and highlights a series of questions to ask in order to evaluate the quality and robustness of their organisation’s cyber risk culture.
What is cyber security culture
Why is cyber culture important?
An implementation guide for cyber security culture
Key cyber security culture questions to ask
What is cyber security culture
Cyber security is without a doubt the perennial risk of the 21st century, and it has been particularly exacerbated by the coronavirus pandemic. It regularly features among the top risks in the Chartered IIA's Risk in Focus reports. In facing such a constant and evolving threat, organisations need to structure their defences around robust and lasting foundations. One of these foundations is cyber security culture, which is the focus of the Institute’s research report Mind the Gap: Cyber security risk in the new normal. A report offering insightful interviews on providing assurance in this space.
The 2018 publication Cyber Security Culture in Organisations, published by ENISA (European Union Agency for Network and Information Security) defines cyber security culture (CSC) as “the knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of people regarding cyber security and how they manifest in people’s behaviour with information technologies.”
The report further stresses that “CSC is about making information security considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions. Adopting the right approach to information security enables a resilient CSC to develop naturally from the behaviours and attitudes of employees towards information assets at work, and as part of a company’s wider organisational culture, its CSC can be shaped, directed and transformed.”
Most organisations are now realising that forced compliance with cyber security policies is not enough to create the multi-layered defence system required to respond to more sophisticated threats especially those utilising social engineering techniques. Only a strong culture can create the proactive state of alertness in every employee of the organisation which will enable an effective and resilient cyber security technical framework.
An effective resilient technical cyber security framework includes four actions:
- Identification of the threat vectors and relevant risks to the organisation
- Protective measures and tools
- Detection devices
- Recovery process (in case of successful attack).
However, to be effective, a technical framework must be supported by an enabling environment promoting situational awareness, testing, and learning which are all part of a good CSC. For too long, cyber-security was considered a pure IT issue to be solved with technical tools with no need to involve non-IT employees. In fact, the opposite is true, a strong cyber culture is the necessary foundation on which to build a dynamic cyber security strategy.
The internal audit imperative
Mind the Gap noted that:
“Overall, the majority of internal audit functions feature cyber security in their assurance work and are mature in the traditional approach to assessing cyber security risk.
However, it was surprising to see that, in comparison, only a third of senior internal auditors reported including assessment of cyber security practices that help promote effective cyber security culture within the organisation.”
As with auditing corporate culture, internal auditors must provide assurance on the CSC within their organisations. Is this part of your audit work? Read on to find out more about what good looks like and how it can form part of your audit work.
Why is cyber culture important?
According to Cyber Security Breaches Survey 2020, a survey from the UK Department for Digital, Culture, Media and Sport, almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. This confirms the continued high levels of cyber disruption across all sectors of activity.
But maybe, more importantly, the report also notes that: “The nature of cyber attacks has also changed since 2017. Over this period, there has been, among those identifying any breaches or attacks, a rise in businesses experiencing phishing attacks (from 72% to 86%), and a fall in viruses or other malware (from 33% to 16%).”
Social engineering tactics targeted at employees (eg phishing, baiting, tailgating to physical access sensitive areas) as well as unintentional behaviours by employees can lead to potentially significant cyber incidents. Consequently, employees and all stakeholders (including consultants, interns, etc) need to be constantly aware of such risks and how to protect themselves and the organisation’s assets.
Phishing attacks or social engineering attacks strike at the heart of weaknesses in an organisation’s CSC rather than the technical IT cyber-defence framework.
A good CSC should start with ensuring full buy-in across the enterprise, (from the governing body and executive management to all employees and stakeholders) supported by regular training, testing and adequate IT tools. In the end, the cyber defence posture of any organisation will only be as robust as its culture.
An implementation guide for cyber security culture
The creation of a robust cyber security framework and culture requires investment to understand the business, threats, and the existing attitudes towards cyber security in the organisation. It also requires the technical teams in IT and cyber-security to collaborate closely with the executive team and HR to design an implementation plan appropriate for the type and maturity of the organisation (with the help of internal audit or external specialists as necessary). The ENISA report suggests a step-by-step implementation framework centered around specific activities, their implementation and measurement of impact as illustrated below.
Role of internal audit
Mind the Gap found little evidence of internal audit assessing and promoting the CSC within their organisations.
This is a major gap in the internal audit approach to cyber resiliency. Cultural elements and human factors should be explicit components of any cyber audit in addition to the traditional more technical topics (eg anti-virus, patching, penetration testing).
To maximise its impact, internal audit must be able to demonstrate it has sufficient knowledge of the technological issues of cyber and how they interact with the softer cultural elements in the cyber resilience framework. A strong CSC will not be created simply through strong messages from the executive or the governing body, although it is an essential step. Culture and technical controls work with each other interactively to optimise the defence posture of the organisation. The organisation’s email system provides a very practical example of these interactions. The target culture should be one of caution and attentiveness. Achieving such a cultural environment will involve:
- Clear policies on data governance and data protection, use of personal devices, interactions on social networks
- Training of all personnel and governing body members on signals to look for in suspicious emails (eg grammatical or spelling errors, wrong logos, urgency in the tone of the email)
- Regular phishing exercises with sharing of lessons learned and reporting of key indicators to management and the governing body
- Technical tools integrated to the email system to facilitate sandboxing of email attachments, systematic reminders when emails are sent externally and an option to report suspicious emails to IT
- Overall cyber infrastructure to secure the cyber perimeter of the organisation such as anti-virus software, regular patching, and network architecture.
Depending on the maturity of the technical cyber security framework organisation, CSC assurance may be a standalone ad-hoc engagement or embedded within the scope of all related cyber and cultural internal audit engagements.
Key cyber security culture questions to ask
The following table (non-exhaustive) shows examples of the key design and operational elements that internal audit should aim to test in order to provide overall assurance on the robustness of the CSC. These elements cover the whole organisation starting with the high-level tone from the top (governing body and executive management) to the nitty-gritty of regular phishing exercises by the IT department. Internal auditors can use this table as a menu of questions to use in a variety of work programmes including assisting with the evaluation of an implementation plan such as the ENISA one presented previously.
|
Key areas |
Questions for internal audit |
|
Governing body |
Does the governing body understand the current state of cyber security awareness in the organisation? Does the governing body receive regular reports (including metrics such as results from phishing exercises) on the evolution of the cyber security culture? Does the governing body have access to the required technical expertise (either directly with governing body members or externally through advisers and training) to understand and challenge the cyber resilience strategy and technical framework given the rapidly changing threat environment? Has the governing body approved a specific risk appetite and risk tolerances for cyber risks? Is the governing body presented with regular updates on the key projects in the cyber resilience strategy and how they impact the cyber risk appetite? Are senior management and the governing body aware of key risks associated with cyber security? Does the governing body actively support strong messages of awareness and individual responsibility of all stakeholders regarding cyber threats? Are the governing body members included in regular phishing campaigns and other related cyber testing exercises? Is cyber security culture included in the on-boarding program for new governing body members? How is an effective cyber security culture reflected in the performance criteria for governing body members and the measures of success for the organisation? |
|
Executive/Senior Management |
Has the executive management (IT and non-IT) agreed on a cyber resilience strategy and technical cyber security framework? Are non-IT executives involved in cyber strategy discussions? Are the governing body and senior management aware of the cyber security culture in the organisation? Is the cyber resilience strategy aligned with the enterprise risk management framework? Is executive management included in cyber-testing (in particular internal phishing) exercises? Does executive management actively promote cyber risk awareness (for instance by publishing results of internal phishing exercises)? Is there a senior enough executive in charge of cyber, Chief Information Security Officer (CISO) or similar? Does internal audit regularly follow up with relevant stakeholders who own cyber security risks, such as the CISO and IT department to get a better understanding of cyber security culture in your organisation? Has senior management put in place appropriate incentives (or dis-incentives) to support the behaviours implied by a strong culture? Has senior management endorsed and deployed clear and practical policies on cyber topics, in particular: data theft / loss, code of conduct, use of personal devices and use of social media? Is senior management promoting regular training and testing of the cyber resilience program (social engineering or phishing tests)? Does management systematically share the lessons learned from data breaches and cyber-attacks with all employees? Does management encourage a “speak up” mentality to report incidents internally? Is internal audit involved in cyber-security strategy discussions and project updates? |
|
IT department |
Is the IT department focused on delivering the tools to influence effective behaviours such as sandboxes for emails attachment, automated reminders for external emails, anti-virus, reporting of suspicious emails and secured governing body communication software? Does the IT department track best practices in good cyber behaviours and promote them across the organisation? Does the IT department have clearly defined responsibilities over data governance, inventory management, and data classification processes? Does the IT department (in-house or outsourced) perform regular testing and tracking of behavioural responses to potential attacks through phishing and other exercises? Do these exercises also include senior management and the governing body in order to widen the message? |
|
Organisation stakeholders (employees, contractors, suppliers) |
Are all stakeholders regularly trained and tested on positive cyber behaviours? Has human factor risk been included in the assessment of cyber security risk? Are employees and contractors receiving up-to-date training including remote working? Is cyber awareness included in the induction program for new joiners at all levels and in the contracting process? |
Conclusion
Internal audit should take a proactive role in providing CSC assurance and advocating the importance of a good CSC across the organisation. This can only be achieved if internal audit establishes active relationships with key stakeholders and demonstrates sufficient knowledge of the technological aspects of cyber security and how they interact with the CSC. Using the key questions in the table above could be the first step to weaving cultural elements into every IT and cyber audit engagement. Alternatively, the questions can be combined with a maturity assessment of the CSC and research on best practices to provide an advisory holistic perspective to the governing body.
Futher reading
IT auditing and cyber security
Recognising internal audit’s role in cyber risk
Mind the Gap: Cyber security risk in the new normal
Cyber Security Culture in Organisations
