IT Governance Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

IT Governance

Cyberthreats and IT governance are top concerns for auditors in 2023

 960 640 Stuart O'Brien
By:
0
0

Cyberthreats and IT governance are top risk areas for internal auditors to address in their audit plans for 2023.

That’s according to the Gartner 2023 Audit Plan Hot Spots Report, which identifies the top 12 risk focus areas for Chief Audit Executives (CAEs) to help them identify risks to their organisations and plan audit coverage for the coming year.

“Cyberthreats remain a perennial concern for CAEs, yet the drivers of this risk have evolved as a result of new geopolitical conflicts and the heightened prospect of state-sponsored attacks,” said Leslee McKnight, vice president for the Gartner Legal, Risk and Compliance practice. “Mitigation plans need to be revisited to reflect the evolution of the risk and prepare the organization to meet increasingly stringent disclosure requirements in the event of a breach.”

Adjacent hot spots, such as ensuring adequate IT governance and third-party risk management, contribute to a challenging outlook for mitigating the full array of potential cyberthreats facing organizations in 2023. While most CAEs indicated they planned to address cybersecurity in their plans next year, only 42% of survey respondents expressed a high level of confidence in their ability to provide adequate assurance in this area.

Gartner’s annual report is based on a survey of 112 CAEs completed in August 2022, additional structured interviews with CAEs and IT Audit leaders, as well as data and insights generated from cross-functional Gartner research throughout 2022. The top risk focus areas identified from this process are listed below.

2023 Audit Plan Hot Spots

  • Cyberthreats
  • IT Governance
  • Data Governance
  • Third-Party Risk Management
  • Organizational Resilience
  • Environmental, Social and Governance (ESG)
  • Supply Chain
  • Macroeconomic Volatility
  • Workforce Management
  • Cost Pressures
  • Culture
  • Climate Degradation

Three key themes drove the risks this year including a “renationalization of resources” and a “triple squeeze” of growing cost pressures, supply chain risks and labor scarcity. The final theme, the need to “rethink organizational resilience,” is unique as its own distinct risk area and a driver of a multitude of other risks.

The ability to withstand crises and disruptions may become more critical next year, and many organizations still take a limited view of resilience, mostly focused on business continuity and IT disaster recovery. This narrow view of resilience fails to account for additional risks impacting resilience including greatly increased economic volatility and impacts from climate degradation.

“Rethinking resilience is a key theme that underlies a diverse set of risks facing organizations in 2023, including economic volatility, climate degradation and third-party risk management,” said McKnight. “Currently less than one third of audit leaders are highly confident in their team’s ability to provide assurance over organizational resilience risk, and more concerning, less than half plan to cover organizational resilience in audit activities in the coming year.”

McKnight further noted that the increasingly interconnected risk landscape increases the chances for cascading risks, where one risk causes additional risks to manifest for an organization, a scenario that few organizations are actively planning against today.

Cybersecurity and Financial Services – How Can Organisations Combat the Threat?

 960 640 Guest Post
By:
0
0

By Genevra Champion, Sector Marketing Manager, IT Governance

The financial services industry is naturally a lucrative target for cyber criminals. Financial organisations trade and control vast amounts of money, as well as collect and store customers’ personal information so clearly, a data breach could be disastrous for an industry that is built on trust with its customers. 

The financial services industry is second only to retail in terms of the industries most affected by cyber crime –  the number of breaches reported by UK financial services firms to the FCA increased 480 per cent in 2018, compared to the previous year. While financial servicesorganisations are heavily regulated and cybersecurity is becoming more of a business priority, there is still much more to be accomplished when it comes to businesses understanding what measures must be taken – from the C-suite down – to effectively protect organisations against inevitable breaches.  

So how can financial services firms proactively equip themselves to respond to increased regulatory scrutiny and mitigate the impact from the growing number of threats they will face? 

Mitigating the threat

Financial institutions were able to defend against two-thirds of unauthorised fraud attempts in 2018, but the scale of attacks significantly increased. Significant market players including Tesco Bank, Metro Bank and HSBC all reported breaches in the last year. Clearly, the banks’ cybersecurity defences have not developed at a fast enough pace. Cyber criminals can and will dramatically outspend their targets with increasingly sophisticated attack methods. In addition, many of the traditional banks struggle with large, cumbersome legacy systems, which pose significant reliability issues, as well as flaws in security. 

Last year’s IT banking disaster led to thousands of TSB customers being locked out of their accounts, leading to fraudsters exploiting the situation by posing as bank staff on calls to customers in order to steal significant sums of money from customers. The breach occurred while the company was conducting an upgrade on its IT systems to migrate customer data to a new platform. This wasn’t just bad luck for TSB, but a failure to adequately plan and assess the risks that come with such a huge project. The bank has since pledged to refund all customers that are victims of fraud, a move which will likely see other banks reviewing their approach to the rise of this particular type of cyber crime. 

The industry must understand that security incidents are an ever-present risk. However, organisations can be prepared – scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.

Appropriate defence strategy

The FCA has set out various cybersecurity insights that show how cybersecurity practices of UK financial services firms are under the regulatory microscope, as the cyber threat continues to grow. The approach from the FCA includes practices for organisations to put into action such as those that promote governance and put cyber risk on the board agenda. The advice also covers areas such as identifying and protecting information assets, being alert to emerging threats and being ready to respond, as well as testing and refining defences. With cyber crime tools and techniques advancing at a rapid pace, and increasing regulations, it’s no wonder that many organisations struggle to keep up to ensure their defences stay ahead of the game.

In order for in-house security teams to keep up to date with current and evolving threats and data protection issues, firms must invest in regular training. Specialist skills are required to mitigate cyber risk, which for some could be cost-prohibitive.  As an alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cyber security strategy. 

Crucially, in addition to completing a gap analysis and a multi-layered defence strategy, the model will also apply to people and processes. Attackers will generally aim at the weakest point of an organisation – often it’s staff. Human nature means passwords are forgotten, malware isn’t noticed, or phishing emails are opened, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.  

Conclusion

With increased regulatory attention across security and privacy, firms must take steps to improve their defences, or risk severe financial and reputational damage. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Anyone within an organisation can be a weak link, so the importance of cybersecurity defences must be promoted at all levels – from the board all the way through to the admin departments. It’s everyone’s responsibility to keep the organisation protected against threats. 

While the threat of cyber attack is real, financial services firms do not have to take on the battle alone. With a CSaaS model in place, organisations can start to take back control of their cybersecurity strategy and embed it as a trusted, cost-effective and workable core part of the business’ process. 

Image by Jason Goh from Pixabay

GUEST BLOG: SME collaboration delivering effective Public Sector IT security

 960 640 Stuart O'Brien
By:
0
0

Written by Bernard Parsons, CEO, Becrypt

When Becrypt began developing security technology for government more than a decade ago, relationships with Systems Integrators were the only viable route to understanding and accessing customer requirements.

Our experiences today are of a vastly more diverse supply chain, with some major government programmes consuming our services as part of a collaborative ecosystem of cyber security SMEs.

The public sector is under intense pressure to transform its services by delivering better, more reliable experiences, more efficiently for UK citizens. Technology is at the heart of that ambition.

User expectations increase exponentially as consumer tech evolves, added to which the opportunities emerging from private sector innovation in everything from Artificial Intelligence (AI) to big data analytics are so significant that the public sector has an obligation to establish how they can be deployed for public benefit.

Nevertheless, unlocking the advantages of flexible, mobile, data-driven services requires effective cyber security. Public sector data is incalculably valuable; from citizens’ personal identifiable information to highly classified government records, the risk of compromise by accident or malicious intent must be appropriately managed.

Within one major government programme, we are actively collaborating with ten innovative SMEs working directly with government to deliver cloud-based services and mobile platforms that have functional and performance characteristics more typical of our faster-paced private sector customers than government systems of old, whilst achieving the ‘high assurance’ requirements of sensitive government networks.

This new way of working has been driven in part by a convergence of public and private sector requirements, both in terms of technology expectations and cyber threat. To help drive the required innovation, government departments now engage directly with SME’s through agile sprint processes, supported by lighter-weight contracting vehicles, leveraging the agility of SMEs and their desire to align innovation with emerging customer requirements.

Whilst agile SME suppliers have flexibility to tailor solutions closely to public sector customer requirements, government’s relatively recent desire to avoid bespoke systems, combined with market convergence, allows the same R&D costs to meet the needs of broader markets.

For example, Becrypt has worked with the National Cyber Security Centre and other government departments to develop a ‘Cloud Client’ End User Device platform for accessing cloud and online services, leveraging open source components to develop a security-focused operating system. As a ‘born-in-government’ product, we have then been able to deploy the same technology across other security conscious organisations, such as those within the Critical National Infrastructure.

The wider marketing of products built for, or at least influenced by government is helped in part by the thorough technical due diligence or product assurance that government typically undertakes. Such activities are very resource intensive but can nevertheless be a very effective mechanism for an SME needing to establish its first market for a new product. Using product assurance or system accreditation as a meaningful differentiator, is more viable for an SME than the alternative of competing with the vast marketing budgets of multinationals, allowing a beachhead to be created within government, before ‘crossing the chasm’ to adjacent markets where requirements now overlap.

There will of course always be an important place for System Integrators as part of the cyber security supply ecosystem for government, and indeed many are evolving internal structures to promote greater agility, innovation and collaboration through mechanisms such as ‘Intrapreneurship’.

But in our experience, collaboration between cyber SMEs over recent years, combined with new public sector engagement models, has had a transformative effect on a number of key government IT programmes.

Guest Blog: The cyber resilience model

 960 638 Stuart O'Brien
By:
0
0

For too long, organisations have sought the holy grail of 100% Cyber Security. But security is never absolute; it is essential to understand that a breach is inevitable. It is the way in which organisations respond to a cyber security breach that is critical.

Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance explains the fundamental importance of creating a Cyber Resilient model…

Cyber Security Myth

Cyber security is defined as the state of protecting information from attack by identifying risks and establishing appropriate defences. But as investment in security solutions continues to spiral it is essential for organisations to recognise the truth: total cyber security is unachievable. 

Cyber criminals can and will dramatically outspend their targets, creating ever changing and ever more sophisticated threats. At the same time, the ease with which these individuals and organisations bypass security technology and exploit poor process and ill-educated employees simply reinforces the futility of the current model: when 93% of security breaches occur as a result of a phishing or pretexting email, clearly a different approach is required.

Breaches occur routinely – and companies rarely know they have been breached. Not only are the majority of security breaches actually identified by third parties, on average it takes 193 days after the breach first occurred. So much for the much vaunted cyber security strategy.

What is required, therefore, is a far more robust approach to both managing the breach and minimising the business impact – a model that is predicated on achieving cyber resilience, not cybersecurity.

Cyber Essentials

To create a cyber resilience model an organisation needs to totally reconsider security provision; to assess and determine the business specific acceptable level of risk and acknowledge that an attack may be successful however well prepared the defences. By adopting a standards-based approach that encompasses technology, people and processes, a cyber resilience strategy can be designed to reflect each organisation’s maturity level with regards to both cyber security and data privacy.

At the heart of a cyber resilience strategy is defence in depth. In addition to using technology to block phishing emails, for example, a company must also ensure staff are trained to recognise the signs that an email may not be genuine. They must know how to respond if they mistakenly click on the email, including immediately notifying the help desk, which will prompt clearly defined escalation processes to minimise corporate exposure. Add in a device level back up process that does not allow the spread of malware and a business has a robust cyber resilience approach to the most prevalent form of breach.

Resilience Journey

This is, of course, an evolution. For smaller or start up business, a simple first step is to adopt Cyber Essentials, five basic controls which should prevent around 80% of Internet borne attacks from being successful. As an organisation matures, it is important to add process and people controls, even pursue the ISO 270001 information security standard, and to consider the wider business ecosystem. Is there a corporate network vulnerability created by the heating supplier routinely accessing the building’s heating, ventilation and air conditioning system, for example? What about customer security? Should the hosted web site be relocated to the cloud to achieve the encryption demanded by PCI DSS when handling credit card details? Throughout the evolution, a good cyber resilience model will continually learn, collecting data about breaches, for example, to highlight staff that need additional training or improvements to escalation processes, and ensuring the cyber risk assessment adapts in line with business expectation.

Critically, therefore, this is a board level issue and, over time a board’s awareness of and involvement in the business’ cyber resilience model must become part of the standard governance framework, as embedded as board and market reporting, health and safety and social engagement. 

Simply raising the cyber security budget year on year is not the answer: what is required is an evolving, multi-layered set of responses to the continually escalating cyber threat. Replacing a futile search for cyber security with a robust, practical and risk appropriate cyber resilience model is one of the most important steps an organisation can take.

GUEST BLOG: People and processes are key to effective cyber security

 960 640 Stuart O'Brien
By:
0
0

Alan Calder Founder and Executive Chairman at IT Governance

Cyber security investment continues to spiral, with Gartner predicting global security spend will reach £71.72 billion by the end of the year, as a result of regulatory change, mindset and a growing awareness of threats.

And with over 40 per cent of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, with the attendant cost and reputational damage, it is easy to see how information security teams can argue for ever higher budgets.

But is handing over another tranche of cash really the most effective route to cyber resilience? Look closely at any recent high profile breach and the hack was not achieved through bypassing top of the line security technology but by identifying weaknesses within processes and staff. Whilst technology certainly has its part to play in a business’ overall cyber security strategy, people and processes actually have a much more significant role in ensuring a business is protected. From management commitment to strategic risk assessment to process change and employee awareness, as Alan Calder Founder and Executive Chairman, IT Governance argues, organisations need to reconsider security and rapidly onboard the skills required to achieve this three-fold approach to mitigating cyber risk.

Weakest Link

No organisation is immune to the threat of a cyber attack, especially as the types and methods of attack become increasingly more sophisticated. Given the enormous cost associated with breach, from regulatory fines to lost customers and compromised supplier relationships, this is clearly on the board’s agenda.  Unfortunately, most boards would rather commit to hiking the security budget than take the steps actually required to improve cyber resilience: namely, get involved.

According to the ISO 27001 security standard, board level commitment is an essential requirement – yet this is a message that the CIO or CISO is finding hard to get across. Most senior level individuals perceive that cyber security is too complex and too technical to have a place in any board meeting. Yet this attitude underlines a patent lack of understanding of the cyber criminal: it is not all about incredibly complex and sophisticated threats, attackers will aim at the weakest link in an organisation’s security posture – its people.

People are a risk because they will forget passwords, make errors, click on phishing emails or access web sites loaded with malware. It is not malicious – in the main – but it is a huge problem.  The fact is that the vast majority of breaches are linked to human error – and more often than not, the cause is ill considered processes and education, not inadequate security solutions.

Proving the Point

The massive data breach at Sony came about as a result of hackers getting access to the list of passwords written in plain text, essentially an open door to an extraordinary raft of sensitive information; while at Morrison’s, it was a disgruntled employee who was able to upload the details of 99,998 staff, including bank account details, salary information, dates of birth, National Insurance numbers, addresses and phone numbers, to data sharing websites.  Having spent more than £2 million tackling the breach, the High Court ruled the supermarket was vicariously liable because the individual was acting in the course of his employment when he leaked the information online.

A lack of management understanding of risk also contributes to technology and process compromises that create unacceptable exposure. The WannaCry ransomware attack that ravaged so many businesses in 2017 is a prime example of poor processes – in this case, failing to update software, creating huge vulnerabilities. The attack affected companies globally, although in the UK the media brunt was borne by the NHS, which estimates a cost of £92 million to recover damaged IT equipment; although it has made no public acknowledgement of the cost to patients’ health as a result of cancelled operations and missed diagnoses.

While these events clearly focus management attention on the escalating risk created by cyber security, none of these organisations had failed to invest in security hardware or software. What they had overlooked was that a cyber resilient business is underpinned by highly effective processes and a highly aware and educated staff.

New Information Security Culture

User awareness and education is a huge component of a cyber resilient organisation. Simple steps such as teaching employees to recognise a phishing email or spot a rogue Wi-Fi hotspot at the café, station or conference centre, can radically reduce incidents. But this is just the start: user awareness and training must be part of a complete resilience process.

Continually testing staff awareness – by sending phishing emails and following up with additional training to those who mistakenly click on the email – is essential, but staff also need to know what to do if they do click on a phishing email by mistake. And that means the company needs to put in place a clearly defined process that encompasses everything from ensuring users recognise the importance of immediately notifying the incident response team, to locking down the device and removing it from the network, and critically, undertaking an assessment to determine whether the incident has created a regulatory reportable breach.

In addition to improving awareness and understanding, it is also important to make life easy for the user.  While IT has become obsessed with the concept of complex passwords changed every sixty to ninety days, for the user the only option is to write these down – or continually waste time calling the help desk for a reset.  How much more effective to opt for single sign in and passwords changed only when the user perceives a risk? Or once a year? Not only does the business lose the massive risk associated with passwords written down everywhere, but the help desk calls plummet – and the IT team has time to fix the gaping security hole left by the disturbing number of network devices still operating on easily breached default settings!

Security Standards

This people and process model is at the heart of the global ISO 27001 security standard – a standard which in this post GDPR era is prompting increasing interest as a way of demonstrating the security provision in place should a breach occur. And, to circle back to where we came in, this is where the board needs to get involved: ISO 27001 states that management must be engaged in the information security management process; they must lead by example and provide clear guidance to the organisations on issues such as risk management. That means that security is not just a line on the budget and a chance to pass the buck to the information security management team; the board must actively discuss and consider security policy is certification is to be achieved.

And, to be frank, the board should be actively involved. The creation of a cyber resilience framework is key not only to reducing the likelihood of a breach but also to ensure systems can get back up and running as quickly as possible to minimise business disruption – and that framework is ultimately defined and directed by a corporate understanding of risk.

Simply accepting an ever increasing security cost is not enough. It is not until the board has discussed and agreed upon the risk appetite, which will vary significantly between organisations, that the business can begin to take the correct steps towards managing information security – and that means investing in the right skills to define and implement new processes and staff awareness.