Back in July I blogged about parliamentary report drafted in response to the TalkTalk data breach inquiry. Move the clock forward three months and the government is now launching its £1.9bn cyber security strategy!
On 1 November the chancellor launched a £1.9bn cyber security strategy. The Chancellor said, "If we want Britain to be the best place in the world to be a tech business then it is also crucial that Britain is a safe place to do the digital business".
Internal audit’s role within organisations is to provide an assurance with regard to the robustness of processes and controls in place to mitigate the risk of cyber security, the government’s strategy therefore provides a platform for internal audit to review and update as appropriate its annual strategy and the annual internal audit plan to ensure the level of assurance required by the board and audit committee can be delivered.
One of IIA Global's latest Global Technology Audit Guides, Assessing Cyber Security Risk: Roles of the Three Lines of Defense (pdf) offers guidance to internal auditors on how to update their approach to provide assurance over cyber security risks. It also empowers heads of internal audit to put forth a clear audit approach to assess cyber security risk and management's response capabilities, with a focus on shortening response time.
As internal auditors we need to ensure that we are aware of the risks presented to the organisation from cyber security and be innovative in how we provide assurance to the board and audit committee regarding cyber security risk and also business resilience risk.
The head of internal audit should as part of the annual programme of work assess the action protocols in the event of an attack, ensuring they remain up-to-date and maintaining company resilience (the ability to absorb adverse internal and external impacts and recover with a view to returning to normal operations in a controlled fashion).
The UK must be able to retaliate in kind against cyber-attacks, the Chancellor has said. He added that hostile "foreign actors" were developing techniques that threaten the country's electrical grid and airports. The warning came within a speech describing how the government plans to spend a previously announced £1.9bn sum on cyber security. It also addressed ways to tackle cyber-scammers and defend businesses
"If we do not have the ability to respond in cyberspace to an attack which takes down our power network - leaving us in darkness or hits our air traffic control system grounding our planes - we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response." Philip Hammond, Chancellor of the Exchequer, November 2016
According to the government’s annual report on the 2011-16 cyber security strategy (April 2016), the 2016-21 cyber security strategy will include:
Cyber security has become one of the priority risks to be dealt with by organisations given that the number of cyber-attacks is on the rise every day; they are increasingly sophisticated and have an enormous economic and reputational impact on organisations. Governments are not immune to this threat. For example, Chinese hackers alone have caused damage valued at over $100 million to the US Defence Department’s networks according to documents leaked by Edward Snowden.
According to the BBC the new strategy ‘will set out action needed to protect the UK economy and the privacy of British citizens, and will also encourage industry to ramp up efforts to prevent cyber attacks’. Surely, it should be internal audit’s role to support the aims of the new strategy across the UK, both as the Chartered IIA and also as internal audit within organisations to support engagement in the Governments new cyber security strategy?