Summary:
Organizations of all types are becoming more vulnerable to cyber threats due to their increasing reliance on computers, networks, programs and applications, social media, and data. Security breaches can negatively impact organizations and their customers, both financially and in terms of reputation. Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.
- The cost of cybercrime is mounting. The cost of a single ransomware incident can cost a company more than $713,000 on average.
- Cloud computing may provide the security against cyberthreats that companies need.
What is Cybersecurity:
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attacks, damage or unauthorized access. Cybersecurity involves protecting information and systems from major cyberthreats, such as cyber terrorism, cyber warfare, and cyber espionage.
Data breaches are occurring more frequently. There are increasing pressures for businesses to step up efforts to protect personal information and prevent breaches.
Cybercriminals attack to gain political, military or economic advantage. They usually steal money or information that can eventually be monetized
Cyberattacks may come from malicious outsiders, accidental loss, malicious insiders, hacktivists and state-sponsored actors.
Internal Audit role in Cybersecurity includes:
vTheroleof the chief audit executive (CAE) related to assurance, governance, risk, and cyber
threats.
vAssessinginherent risks and threats
vThefirst,second, and third lines of defense roles and responsibilities related to risk management, controls, and governance.
vWheregaps in assurance may occur.
vThereporting responsibilities of the internal audit activity.
6 | P a g e
SBS Wiki www.sbsandco.com/wiki
Cyber Risk - Roles and Responsibilities
Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the board’s need to understand the effectiveness of cybersecurity controls. An essential step in evaluating the internal audit activity’s role in cybersecurity is to ensure the three lines of defense are properly segregated and operating effectively.
1st line of defense - business and IT functions, management owns and manages the data, processes, risks, and controls. For cybersecurity, this function often resides with system administrators and others charged with safeguarding the assets of the organization.
2ndline of defense - information and technology risk management function, comprises risk, control, and compliance oversight functions responsible for ensuring that first line processes and controls exist and are effectively operating. These functions may include groups responsible for ensuring effective risk management and monitoring risks and threats in the cybersecurity space.
3rd line of defense – internal audit, the internal audit activity provides senior management and the board with independent and objective assurance on governance, risk management, and controls. This includes assessing the overall effectiveness of the activities performed by the first and second lines of defense in managing and mitigating cybersecurity risks and threats.
Cyber risk – Assessment approach
|
Phase |
Key activities |
Deliverables |
|
|
|
|
|
|
|
1. Planning and |
1. Identify specific internal and external stakeholders: |
1. Assessment |
|
|
scoping |
|
IT, Compliance, Legal, Risk, etc. |
objectives and scope |
|
|
2. |
Understand organization mission and objectives |
|
|
|
3. |
Identify industry requirements and regulatory |
2. Capability |
|
|
|
landscape |
assessment |
|
|
4. |
Perform industry and sector risk profiling (i.e., |
scorecard framework |
|
|
|
review industry reports, news, trends, risk vectors) |
|
|
|
5. |
Identify in-scope systems and assets |
|
|
|
6. |
Identify vendors and third-party involvement |
|
|
|
|
|
|
|
2. Analyze current |
1. Conduct interviews and workshops to understand |
U n d e r s t a n d i n g o f |
|
|
state |
|
the current profile |
e n v i r o n m e n t a n d |
|
|
2. |
Perform walkthroughs of in- scope systems and |
current state |
|
|
|
processes to understand existing controls |
|
|
|
3. |
Understand the use of third- parties, including |
|
|
|
|
reviews of applicable reports |
|
|
|
4. Review relevant policies and procedures, including |
|
|
|
|
|
security environment, strategic plans, and |
|
|
|
|
governance for both internal and external |
|
|
|
|
stakeholders |
|
|
|
5. Review self-assessments |
|
|
|
|
6. Review prior audits |
|
|
|
|
|
|
|
|
7 | P a g e |
|
|
|
|
Cyber Security |
|
SBS Wiki |
|
|
|
www.sbsandco.com/wiki |
|
|
|
|
|
|
|
|
|
3.Risk Assessment |
1. Document list of potential risks across all in-scope |
1. Prioritized risk |
|||
|
|
|
capabilities |
|
ranking |
|
|
|
2. |
Collaborate with subject matter specialists and |
|||
|
|
|
||||
|
|
|
management to stratify emerging risks, |
and |
2. Capability |
|
|
|
|
document potential impact |
|
||
|
|
|
|
assessment findings |
||
|
|
3. |
Evaluate likelihood and impact of risks |
|
||
|
|
|
|
|||
|
|
4. |
Prioritize risks based upon organization’s objectives, |
|
||
|
|
|
capabilities, and risk appetite |
|
|
|
|
|
5. |
Review and validate the risk assessment results with |
|
||
|
|
|
management and identify criticality |
|
|
|
|
|
|
|
|
||
|
4.Gap assessment |
1. Document capability assessment results |
and |
1. Maturity analysis |
||
|
and recommen- |
|
develop assessment scorecard |
|
||
|
|
|
2. Assessment |
|||
|
dations |
2. Review assessment results with specific |
||||
|
scorecard |
|||||
|
|
|
stakeholders |
|
||
|
|
|
|
3. Remediation |
||
|
|
3. |
Identify gaps and evaluate potential severity |
|
||
|
|
|
recommendations |
|||
|
|
4. |
Document recommendations |
|
4. Cybersecurity audit |
|
|
|
5. |
Develop multiyear cybersecurity/IT audit plan |
|
||
|
|
|
plan |
|||
|
|
|
|
|
||
|
|
|
|
|
||
|
Common Cyber Threat Controls |
|
|
|||
Sensitive or confidential data can be classified and stored internally, externally, or both. Internally, most organizations rely upon technology such as secure configurations, firewalls, and access controls as their first line of defense. However, in a dedicated attack where the firewall is overloaded, the attackers may gain access and unauthorized transactions may be processed.
To reduce the risk of such attacks reaching the firewall, the first line of defense takes preventive action at the perimeter of the network. This is a challenging process that involves restricting access and blocking unauthorized traffic. Detective controls, such as monitoring, should also be established to watch for known vulnerabilities based on intelligence gained about software products, organizations, and malicious websites.
Many organizations establish a whitelist of good traffic and a blacklist of blocked traffic. However, active monitoring and frequent updating is critical due to the dynamic nature of network traffic. If the attacker manages to gain access to the system, the next line of attack is likely to obtain administrative privileges and cover their tracks.
When data is stored external to the organization, it is vital for the organization to ensure vendors are properly managing relevant risks. A critical first step for the first line of defense is to establish strong contracts that require: service organization control (SOC) reports, right to audit clauses, service level agreements (SLAs), and/or cybersecurity examination engagements.
8 | P a g e
|
Cyber Security |
SBS Wiki www.sbsandco.com/wiki
After due diligence has been performed and the contract has been negotiated and executed, management should consider overseeing and governing the vendor by monitoring and reporting on key metrics to ensure conformance with SLAs. If the vendor does not meet contractual requirements, management could invoke the right to audit clause, ask for timely resolution of concerns, enforce penalties, and consider plans to transition to an alternative vendor if necessary.
Management must also be alert to attack schemes involving social engineering, including phishing emails and malicious phone calls. By impersonating a legitimate organization or person with a need for information or action, attackers convince authorized individuals to sharesensitive data, provide their system credentials, click links that route to fraudulent websites, or perform actions that install malware on the victim’s computer. Malware is becoming more sophisticated and increasingly targeted to a specific purpose or network. Once malware is installed, it can replicate across the organization’s network, disrupt system performance and availability, steal data, and advance fraudulent efforts by the attackers.
Malware is advanced by exploiting the lack of awareness. Therefore, reminding individuals frequently to be on the lookout for any suspicious or unusual emails, unprecedented requests, phone calls, or system activity is important. Training will also help individuals recognize fictitious communications and to report such incidents quickly for research, escalation, and resolution. Lessons learned and intelligence gained from peers in the industry can also be leveraged for training, awareness, and adoption of additional preventive measures.
Role of Audit Committee
The extent of the audit committee’s involvement in cyber security issues varies significantly by company and industry. Cyber security risk in some organization is tasked directly to the audit committee, while in others, there is a separate risk committee. Regardless of the formal structure adopted, the rapid pace of technology and data growth, and the attendant risks highlighted by recent security breaches demonstrate an increasing importance of understanding cyber security as a substantive, enterprise-wide business risk.
Audit committees should be aware of cyber security trends, regulatory developments and major threats to the company, as the risks associated with intrusions can be severe and can pose systemic economic and business consequences that can significantly affect shareholders. Engaging in regular dialogue with technology-focused organizational leaders will help the committee better understand where attention should be concentrated.
Malicious software illustrations:
Ransomware is a type of malicious software (otherwise known as ‘malware’) that restricts people from accessing their computer or smartphone, or individual files stored on them. Attackers extort money from their targets by holding their device or data to ransom, often threatening to release or erase it to force payment.
9 | P a g e
|
Cyber Security |
SBS Wiki www.sbsandco.com/wiki
Impact of Ransomware on Business
The services industry is the sector most affected by ransomware, businesses in this sector, such recruitment agencies, handle high volumes of data and typically integrate with various internet services and applications that expose them to infections. Recruitment agencies are particularly vulnerable to attacks. Downloading files like applications, CVs, portfolios and contracts is an essential and everyday function for a recruiter, but antivirus software may not always pick up on files that contain ransomware.
Famous ransomware: CryptoLocker and WannaCry
Perhaps the first example of a widely spread attack that used public-key encryption was Cryptolocker, a Trojan horse that was active on the internet from September 2013 through May of the following year. The malware demanded payment in either bitcoin or a prepaid voucher, and experts generally believed that the RSA cryptography used -- when properly implemented -- was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server used by the attack and recovered the encryption keys used in the attacks. An online tool that allowed free key recovery was used to effectively defang the attack.
In May 2017, an attack called WannaCry was able to infect and encrypt more than quarter million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the (private and undistributed) key needed to decrypt the ransomed files.
Payments were demanded in bitcoin, meaning that the recipient of ransom payments couldn't be identified, but also meaning that the transactions were visible and thus the overall ransom payments could be tallied.
According to the Symantec 2017 Internet Security Threat Report, the amount of ransom demanded roughly tripled from the previous two years in 2016, with the average demand totaling $1,077. Overall, it's difficult to say how often these demands are met. A study by IBM found that 70% of executives they surveyed said they'd paid a ransomware demand, but a study by Osterman Research found that a mere 3% of U.S.-based companies had paid (though percentages in other countries were considerably higher). For the most part, payment seems to work, though it's by no means without risk: A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom demanded of them didn't receive their files back.
