Assurance in the ‘New Normal’ – Cyber Security.

‘Working From Home’ is now considered the new normal following the pandemic-related lockdowns. Natural disasters, such as the major flooding recently experienced across a wide area of the east coast of Australia, and major bushfires over the last few years has also demanded that staff remain at home for their physical safety. As a result, organisations have to continually review and refine their approach to managing cyber security risks created by a remote workforce.

Organisations have to flex their network security, firewall and system access rules and contend with an increase in use of personal ‘Bring Your Own Devices’ (BYOD) to support employees in the delivery of services.

A UK Government Cyber Breaches Survey conducted during the UK Lockdown in 2021 revealed that nearly half of all businesses relied on staff using personal devices for work but only 18% of organisations had a cyber security policy covering their use at work. It also identified that under 25% of businesses in the survey had a cyber security policy covering working from home.

It is therefore appropriate that the Institute of Internal Auditors Australia (IIA) issued a White Paper titled ‘Cyber Risk Readiness, Response & Ransom: An Audit Committee Perspective’ in July 2021 highlighting that IT security consistently features as the top risk to be addressed by organisations around the world.

The IIA white paper emphasises the importance, and often overlooked activity, of gaining assurance over soft controls within the organisation – the people side of IT security. This view is supported by the Head of IT Audit & Assurance UK W Midlands Ambulance services who states; “I have seen organisations put in brand new firewalls & technical updates for it all to be undone by one user who has not followed rules or engaged. User awareness is key”. (IIA UK & Ireland ‘Mind The Gap’ on Cyber Security Risk).

Currently, in most organisations, cyber security policies lag behind changing work norms where there is a regular upgrading of their IT security software, restricting access, and implementing hard controls to protect their network, data and clients. Without understating the importance of strong technical IT controls there also needs to be a greater focus on embedding the right culture around IT security. Improving the awareness and resilience of the soft cultural controls helps to change the dynamics of protecting against IT security failures, from a technical, control lens, to making each member of the organisation accountable for ‘doing the right thing’ and promoting good practice around IT security.

The IIA issued a further survey, ‘Cyber Security Risk in Australia’ in Mid-2021, which underpins the topics discussed above, and recognises that cyber risk is one of the most significant issues of the 2020s but believes that internal audit has the potential to contribute significantly to the management of those risks. The Australian survey was based on the IIA UK & Ireland ‘Mind The Gap’ Cyber Security Risk survey and was conducted during August 2021.  This noted that while distributed working has been a part of Australian organisations for many years, providing external access to all corporate systems was initially a slow take up that has accelerated significantly with the pandemic-created needs.

It is widely acknowledged that security capabilities are a function of people, processes and technology. Organisations focus mainly on delivering the technical aspects first to allow staff to work from anywhere, which causes a disconnect when technology is placed first. The technology essentially provides the vehicle for how users can work remotely, but it is the individual user’s awareness (people), and application of an organisations security policies (process) that dictates the level of maturity associated with these activities. There are frequently gaps both in organisational cultures that support working safely in remote working environments which can create a level of immaturity in the cultural soft control environment, regardless of the effectiveness of the technical IT controls. The importance of people and process controls is further highlighted by the most common attack methods which currently include ransomware, phishing, malware and social engineering. While all of these have a technical aspect to them they also have a large reliance on engaging with an organisations personnel and getting them to undertake an action that leads to a compromise.

For the audit and assurance profession, responding to cyber risks has at times created challenges in how audits are conducted and how we receive information/data. This has required the profession to be adaptable with increased use of Teams, Zoom and other internet-based meeting technologies to conduct meetings that were previously face to face. There has been a need to identify ways to securely receive data with the use of portal-based systems becoming increasingly common along with the use of encrypted portable devices, both of which present their own security challenges to both parties.

So how can we at Vincents contribute?

Our assurance and risk advisory team led by Keith Allen and Kevin Joseph has significant experience in assessing cyber security risk and controls, at both the technical IT control level as well as the people and process levels. As a team, we have broad experience in reviewing the effectiveness of controls at the technical control level as well as the strategic governance, and operational policy and procedure levels. The effectiveness of training is also a key component and we are able to assist in both the review of the adequacy and effectiveness of training, or through the development and delivery of training targeted at an organisation’s key risks and operating environment.

In addition, our Forensic Technology team led by Dan Haines provide a highly experienced capability who can identify, recover and trace activities at the transactional level across an organisations data repository in the event that the controls have failed and you require forensic guidance.

An Important Message

While every effort has been made to provide valuable, useful information in this publication, this firm and any related suppliers or associated companies accept no responsibility or any form of liability from reliance upon or use of its contents.  Any suggestions should be considered carefully within your own particular circumstances, as they are intended as general information only.