#Cybersecurity: Role for Auditors

Cyber Enterprise Risk Management Fraud InternalAudit

Background

In 2013 President Obama has declared that “Cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s (country’s) economic prosperity in the 21st century will depend upon cyber security.”. Cyber risk/threat has taken the center stage today. It has steadily moving up in the ranking of every risk survey over last 10 years. In 2015, it has ranked among top 10 risk. Recent examples include:

  • banks have been targeted and money has been stolen Digitally[1].
  • industrial control system has been targeted to harm a nation’s infrastructure[2] .
  • stealing of personal photographs of celebrities[3] and so on.

The Cyber threat or cyber risk has touched to everyone whether they are individual or corporation or government or nonprofit organization. CEOs have lost their jobs due to their inability to respond to cyber risk events[4].

What is Cyber Risk

Cyber Risk:
Institute of Risk Management:
‘Cyber risk’ means any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.
Such a risk could materialize in the following ways:

  • deliberate and unauthorized breaches of security to gain access to information systems for the purposes of espionage, extortion or embarrassment.
  • unintentional or accidental breaches of security, which nevertheless may still constitute an exposure that needs to be addressed.
  • operational IT risks due to poor systems integrity or other factors.

Marsh:
The cyber risks to the business can be split into the following broad areas:

  • losses due to cyber-crime and cyber terrorism.
  • accidental loss of your own or someone else’s data.
  • physical loss of systems.
  • liability for your online activities or comments made in emails.

Cyber Security
Whatis.com[5]
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cybersecurity.
Merriam Webster[6]
Cybersecurity means measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.

Cyber Risk and Cyber security can be paraphrased as

Cyber Risk:

  1. Deliberate and unauthorized breach of security.
  2. Unintentional and accidental breach of security.
  3. Using breach of security to access information and/or information system.
  4. Using breach of security to deny access of information and/or information system to their owners.
  5. Manipulating information and/or information system or devices using information system.
  6. Using access for extortion, embarrassment and or espionage, now or later.

Cyber security:
Technologies, Practices, Processes used to protect Information, Computer systems, computer programs, computer network, devices utilizing computer programs and network from attack, unauthorized access, modification, damage, unauthorized disclosures
 

Why Cyber risk has become prominent:

Information and information systems are assets, as long as control is exercised by the owner or someone who has been duly authorised by owner. However, it become a risk or liability when it is in the control of someone who is not authorised.
Consider the following scenarios:

  1. Manipulating student’s grade and class schedules (http://abcnews.go.com/US/ny-high-school-students-accused-hacking-computer-system/story?id=34617530)
  2. James bond is controlling car remotely in movie “Tomorrow never dies” (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)
  3. Controlling Traffic light systems (http://www.networkworld.com/article/2466551/microsoft-subnet/hacking-traffic-lights-with-a-laptop-is-easy.html)
  4. Taking control of air craft 9 (http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11611058/Cybersecurity-researcher-made-plane-climb-after-hacking-in-flight-entertainment-system.html )
  5. Manipulating telephone systems (http://spectrum.ieee.org/telecom/security/the-athens-affair)
  6. Controlling industrial systems (http://pipelineandgasjournal.com/hacking-industrial-scada-network , http://www.darkreading.com/attacks-and-breaches/hacker-apparently-triggers-illinois-water-pump-burnout/d/d-id/1101447?, http://www.businessinsider.in/A-programmer-wrote-scripts-to-secretly-automate-a-lot-of-his-job-and-email-his-wife-and-make-a-latte/articleshow/49900158.cms )
  7. Making ATM spew cash (http://www.usatoday.com/story/tech/2015/02/15/hackers-steal-billion-in-banking-breach/23464913/)
  8. Ruining someone reputation (http://www.standard.co.uk/news/crime/first-woman-jailed-for-revenge-porn-after-putting-pictures-of-exgirlfriend-on-facebook-a3123821.html )
  9. Using software to fool EPA pollution tests (http://www.scientificamerican.com/article/volkswagen-uses-software-to-fool-epa-pollution-tests/ )

 
Reader are advised to read a series of articles on “Bastard Operator from hell[7]” to gain an insight of fiction becoming reality.
Today we interact with technology on 24x& basis, whether

  • we are using our phone (2014 shipment 167 billion smartphone[8]) to chat with our friends, or
  • use banking system (over 50% of world adult pollution have access to banking facility[9])
  • access social network (71% of online user access social media[10]/ 1.79 billion social media users[11]
  • Globally government has either issued their citizens a single identification card or working towards issuing one (with capture of biometric information).
  • Global e commerce sales amounted to 1.2 trillion USD in 2013[12] with estimated 1 billion online buyer.
  • Globally over 12 billion credit card are in circulation in 2012[13].
  • By 2020, it is estimated that over a trillion devices would be connected to network collectively called Internet of things (IoT).

Cyber Warfare:

Government were the first one to recognise the potential of cyber threat and working towards establishing offensive and defensive capabilities. Some of the sophisticated cyber events[14] such as:

  • In September 2010, Iran was attacked by the Stuxnet worm, thought to specifically target its Natanz nuclear enrichment facility. The worm is said to be the most advanced piece of malware ever discovered and significantly increases the profile of cyberwarfare.
  • In September 2007, Israel carried out an airstrike on Syria dubbed Operation Orchard. U.S. industry and military sources speculated that the Israelis may have used cyberwarfare to allow their planes to pass undetected by radar into Syria.
  • In July 2011, the South Korean company SK Communications was hacked, resulting in the theft of the personal details (including names, phone numbers, home and email addresses and resident registration numbers) of up to 35 million people. A trojaned software update was used to gain access to the SK Communications network. Links exist between this hack and other malicious activity and it is believed to be part of a broader, concerted hacking effort.

Equipment[15] which are meant for government can easily be used by corporates.

What makes Cyber Risk so potent:

Business impact of a data loss which can be caused by human factor can be severe. Business impact of data loss includes claim from customers and suppliers for breach of confidentiality, breach of contract and negligence, direct revenue loss, interruption of business and damages to reputation. There is also additional work and expenses in crisis containment and managing adverse publicity.
A large number of factors giving cause to cyber risk can be controlled. However, there is equally large number of factors where it is difficult to exercise control. Some of the factors are given below:

Element

Controllable action Uncontrollable actions
Human –        Training on Policies & procedure
–        Security training
–        Situation requiring professional judgments depend upon alertness
–        New situations/ new way to bypass security
Technology –        Limited number of software
–        Legal and reputed software only
–        Regular updates/ patch
–        Zero day Exploits
–        Legacy software
–        Undocumented features/ Easter eggs
Devices –        Hardening of devices before deployment
–        Changing default password
–        Hard coded options
–        Resetting to factory settings
–        Factory loaded firmware
Social media –        Training
–        Social media policy governing what can be done/ not allowed
–        No control over actual posting
–        No control over malicious postings
Security environment –        Firewall
–        Antivirus
–        Anti-malware
–        IDS
–        IPS
–        Rootkit scanner
–        Infecting BIOS
–        Infecting OS from manufactures itself
–        Infected connected devises
–        Infected devices with Trojans
Industrial control system –        Security review of devices –        No access to software used in devices
–        No expertise to evaluate the systems
Communication –        Internal Communication

–        External communication

–        Social Media

 
The threat posed by Government is something which is very difficult to control. E.g.

  • Government demand of backdoor in the systems
  • keys where encryptions are used
  • government use of technology for spying and surveillance.

Governments are very proactive for cyber warfare offensive and defensive capabilities[16] .
FBI advice to ransomware victims: “Just pay the ransom
http://www.neowin.net/news/fbi-gives-shocking-advice-to-ransomware-victims

Legal framework around Cyber security

Legal framework for cyber security can be classified in the following categories:

Sr. Category Description Examples
1 Information governance related Acts governing usages/ standards pertaining to use of information and information systems Anti-cyber Crime laws, Anti-spam Policies, TA, HIPPA, GLBA, HAS, FISMA, ITA
2 Data privacy related Storing/ processing/ using of private information PIPEDA, ECHR, DPA, HIPPA, COPPA, FACTA, FCRA, ECPA
3 Disclosure related Disclosing information in case of incidents Various
4 Liability related Mandatory insurance related to cyber liability Various

Top 10 industries which are/ will impacted by Cyber Risk

Everyone is the target of cyber risk, whether an individual or á global MNC or a government organisation or a non-profit organisation. Following industries will feature very high in the list of industries impacted by Cyber Risk

Sr. Industries Why
1 Banking and Finance They have the money and leverage technology to further their reach
2 IT and ITES They rely heavily on information technology
3 Insurance They insure the business against risks
4 Hospital/ pharma They use advanced electronic systems. The future lies in remote diagnostic facilities. Use of medical insurance and use of network medical facilities will give criminal elements necessary incentive. USA is already a large market for making such attempts.
5 Aviation/ Airport Aircraft today is more electronic than mechanical. More and more technology is being incorporated. The new trend of providing free Wi-Fi, making an aircraft more computer driven, development in drone technology, use of drone for commercial purposes will make the technology available to wider audience to experiment
6 Automobile Today a high end car is more of a computer driven. The current research on making car “driver less”, using computers to drive the vehicle, making roads intelligent with networking capabilities, networked cars will give avenue to xxx people.
7 Utilities Utilities like water, electricity, are trying to get more and more connected in order to serve consumer at lesser cost, automating large number of operations, very slow process of change management, ability to impact a large number of population, or to extract a small amount of financial gain from large number of population.
8 Home entertainment system/ smart home system Homes are connecting to internet via Wi-Fi, network, incorporation of smart devices like TV, Set top boxes, gaming consoles, fitness trackers, smart fridge, smart oven, smart washing machine, smart electronic security systems, networked CCTV systems and so on, gives a treasure house to a criminal element, which exposes a wider varieties of channel for making entry into system.
9 e-Commerce / M Commerce/ Mobile wallet, e-wallet Again the use of technology, a large number of participant provides a large number of entry points
10 ICS provider/ Computing hardware/software provider These companies provide a very tempting opportunities to criminal minds. Though these companies would be better equipped to deal with cyber risk, benefits are too large to ignore.
(coupled with the fact that government wants to install backdoor to have access, the same access can and will be discovered by criminal minds).

What is the role of Internal auditor in Cyber Security?

Internal Auditors gives an independent, objective assurance and provide consultation to add value and improve an organization’s operations. They help an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Information Technology is life line of organization provide relevant information to relevant people in a timely manner. As part of risk assessment, it always features as one of the core items in audit universe.
Internal auditor can do the following (subject to availability of professional expertize):

  1. Cyber Risk Assessment
  2. Cyber Maturity Assessment
  3. Review of applicability of Regulation and Compliance for Cyber risk
  4. Review of Cyber Strategy if exist
  5. Existence and effectiveness of IT governance policy and procedures
  6. Existence and effectiveness of monitoring processes for IT governance
  7. Risk assessment of People background check processes
  8. Review of Incident response plan
  9. Training on cyber risk awareness
  10. Encouraging for going for IT certifications (ISO 27001, ISO 22301 and other applicable standards)
  11. Third party risk assessments.

 

What is the Way FORWARD for organization?

  1. Risk Assessment of every element of organisation activities
  2. Threat assessment of every element with regards to source: internal and external
  3. Controls in place to ensure confidentiality, integrity and availability of information:
  4. Business impact in case any elements gets compromised
  5. Response to threats in case any elements gets compromised.
  6. Information governance in entirely to ensure that risks are being managed
  7. Training
  8. Cyber liability insurance
  9. Information sharing on cyber security incidents
  10. Collaboration with competitors, vendors, customers and government agencies.

Conclusion

 
If you think technology is the solution to your cyber security risk, you neither understand technology or your cyber risk
Some useful links:

  1. https://na.theiia.org/special-promotion/PublicDocuments/GRC-Cybersecurity-Research-Report.pdf
  2. https://www.kpmg.com/ID/en/IssuesAndInsights/ArticlesPublications/Documents/ACI-The-Cyber-Security-Challenge.pdf
  3. http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-cyber-ia-urgent-call-to-action.pdf
  4. https://www.pwc.com/us/en/risk-assurance-services/assets/pwc-internal-audit-assuring-data-security-privacy.pdf

[1] Hackers stole $1.2 billion from 7,000 businesses in 2 years (http://money.cnn.com/2015/08/28/technology/hackers-fbi/)
[2] Russian Hackers Target Industrial Control Systems (http://www.securityweek.com/russian-hackers-target-industrial-control-systems-us-intel-chief)
[3] Ashley Madison Hack Update: All The High Profile, Celebrity Names Attached to The Private Information Leak from The Cheating Website (http://www.ibtimes.com/ashley-madison-hack-update-all-high-profile-celebrity-names-attached-private-2066211)
[4] http://www.forbes.com/sites/ericbasu/2014/06/15/target-ceo-fired-can-you-be-fired-if-your-company-is-hacked/
[5] http://whatis.techtarget.com/definition/cybersecurity
[6] http://www.merriam-webster.com/dictionary/cybersecurity
[7] http://bofh.ntk.net/BOFH/index.php, which is stories about a fictional rogue system administrator who takes out his anger on users, colleagues, bosses, and anyone else who pesters him with their computer problems. If it has not occurred already then it’s a matter of time and/ or disclosure only to confirm that fiction has become realty.
[8] http://press.trendforce.com/press/20150120-1806.html
[9] http://www.economist.com/blogs/feastandfamine/2012/04/banking-developing-world
[10] http://www.pewinternet.org/fact-sheets/social-networking-fact-sheet/
[11] http://www.statista.com/topics/1164/social-networks/
[12] http://www.statista.com/markets/413/e-commerce/
[13] http://www.statista.com/statistics/279257/number-of-credit-cards-in-circulation-worldwide/
[14] https://en.wikipedia.org/wiki/Cyberwarfare
[15] http://www.forbes.com/sites/thomasbrewster/2015/11/30/wifi-stingray-hacking-surveillance-china-paris/
[16] https://en.wikipedia.org/wiki/Cyberwarfare
I welcome your inputs on above. If you like it, then share it.
(The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)