Why is it important?
Cyber threats will likely remain one of the most frequent and potentially most damaging risks to organisations, and will continue to be one of the top agenda points for boards and Risk Committees in the financial services sector. We have seen cyber-attacks have increased significantly in the wake of the pandemic, with “phishing” emails connected to COVID-19 reported to have increased 600%. Security vendors are reporting significant spikes in attacks including scams, breaches, blackmail and email compromise.
What’s new?
The COVID-19 crisis has also been characterised by a significant increase in fraudulent activity, including instances of social engineering fraud leading to identity theft. Cyber fraud flourishes when people are most vulnerable, or their personal, family or work circumstances are under significant change. The risk of unauthorised system access is also compounded as employees are forced to work remotely.
In addition, organisations have been facing a multitude of threats to their survival. Tough decisions have had to made, usually at pace and with limited information for staff regarding how they can continue to operate or service customers. For example how they provision IT resources to remote working staff, and how they continue to deliver core services (e.g. online and via digital channels). This has required existing control processes, on occasion, out of necessity, to be flexed or changed.
What should Internal Audit be doing?
The need for Internal Audit to continue to challenge management and provide advice on the optimal balance between adequacy of control, risk exposure and cyber risk appetite against business needs, will be paramount in 2021 and beyond. Functions should assess the maturity of their function and skills to cover cyber risk, whilst continuing to refresh the cyber audit plan in line with the threat environment and broader organisation risk assessment. We expect that some of the areas of focus for 2021 will be:
Remote working:
- Remote working heightens existing cyber risks while introducing new ones to organisations. It is an area that will continue to be a major focus as we move into the post-COVID-19, recovery phase. For example, in a household, multiple family members could be logging in on the same network, potentially exposing devices to malware that could then enter the firm’s network if the right endpoint controls are not in place. In addition, we have seen a significant rise in the use of video conferencing facilities, some of which may have sub-optimal security standards, increasing threats to confidentiality and privacy.
- IA functions should review their businesses’ remote working policy and security architecture, focusing on aspects such as: the need for work screens to be locked and laptops secured when not in use; Bring Your Own Device (BYOD) schemes; and other associated controls, such as the use of multi-factor authentication; etc. Additional areas of focus should be security requirements for wi-fi networks and device security measures such as personal routers and Virtual Private Networks (VPNs). Organisational controls around automated monitoring and alerting should be enabled - with alerts when corporate VPN is switched off for instance. There should be focus around capability of the Cyber operations teams being able to appropriately support and mitigate threats whilst working remotely.
Vigilance and Cyber risk awareness:
- IA functions should investigate approaches taken to increase the levels of cyber awareness across the organisation and look into the programmes to re-educate staff on cyber threats, or re-enforce key messages via CEO or CISO communication, for example. In an environment where malicious threat actors prey on emotions and uncertainty in an attempt to bypass training and rational thinking, the need for all employees to be alert to cyber issues and hyper-vigilant to phishing attacks is clearly high priority.
Resilience:
- Functions will need to be able to support the increased reliance on digital technology and IT transformation programmes, including the need to factor in cyber resilience-by-design, and adopting the principles of the regulators around operational resilience. As covered in our Operational Resilience topic, cyber risks will likely remain the most frequent threat to operational resilience, and should continue to be factored into any assurance work.
Cyber risk governance and monitoring:
- The immediate need to facilitate and support remote working for almost all staff, has led some organisations to loosen certain controls in the short term such as need for VPN, dual authentication, or monitoring. With levels of remote working likely to remain higher than they were pre-COVID-19, organisations may need to find ways to reset the balance and increase flexibility without compromising security or “flexing” control beyond risk appetite. Internal Audit leaders should challenge management where the control environment goes beyond risk appetite, and explore with them alternative arrangements, such as strengthening of controls, restricting access to high risk staff and access to sensitive data. The effectiveness of monitoring or alerting controls designed to spot unusual patterns of activity and flag it for further investigation should be considered in those cases.