S1EP1 - Internal Audit and the Risk of Cybersecurity Artwork

Ideagen Insights

Welcome to Ideagen Insights, Ideagen’s official audit and risk management podcast channel! In each episode our host, Stephanie Jones, is joined by experts in the audit and risk management industry. Stephanie is Ideagen’s Audit Product Manager. She has more than 12 years of Internal Audit experience and was recently named one of the nine District Advisors for the IIA in North America. Together, Stephanie and our guests explore and evaluate topics that are of interest to audit departments and are key business risks to organizations across the globe. Visit www.ideagen.com to learn more.

All Episodes

Ideagen Insights

S1EP1 - Internal Audit and the Risk of Cybersecurity

February 25, 2020 • Ideagen plc • Season 1 • Episode 1

Welcome to Ideagen Insights, Ideagen’s official Podcast Channel. In our launch series, we are focussing on the biggest issues facing Internal Auditors across Europe and North America in 2020. In each episode, we look at a specific topic identified as a key business risk by European and American branches of the IIA and evaluate the impact these will have on internal audit departments as they prepare for the year ahead.

Our host is Stephanie Jones, Ideagen’s Pentana Audit Product Manager. Stephanie has more than 12 years of Internal Audit experience and recently named as one of nine District Advisors for the IIA in North America.

Today Stephanie is joined by Andy Gascoigne, Ideagen’s Head of Cybersecurity and Ian Hepworth, Ideagen’s Chief Technology Officer to discuss Internal Audit and the risk of Cybersecurity.

Stephanie Jones:   0:00
Hello everyone and welcome to Ideagen's official podcast series focusing on the biggest issues facing internal auditors across Europe and North America in 2020. My name is Stephanie Jones, and I am the product manager at Ideagen for Pentana Audit and with me today I have Ian Hepworth and Andy Gascoigne.

Ian Hepworth:   0:27
Thank you very much, Stephanie. My name's Ian Hepworth, and I'm the Chief Technology Officer here at Ideagen

Andy Gascoigne:   0:32
My name is Andy Gascoigne and I am the Head of the Cybersecurity unit at Ideagen.

Stephanie Jones:   0:38
Thank you, Ian and Andy for being here. In each of our podcast episodes, we look at a specific topic identified as a key business risk by European and American branches of the Institute of Internal Auditors and evaluate the impact that these will have on internal audit departments as they prepare for this year. So today we are going to talk about cyber security and data security.  In the Risk in Focus Report by The Institute of Internal Auditors, 78% of European Chief Audit Executives, cite cybersecurity and data security as a top five risk. This statistic is also reiterated by North American Chief Audit Executives, where 70% identify the risk of reputational damage caused by a privacy data breach as an audit area of high or very high concern. Why do you think this is?

Andy Gascoigne:   1:34
Trust is incredibly hard to build up and it's very easy to lose. The reputation of the business can take years, if not decades, to actually get enforced, but it can be destroyed in one easy and quick move. I think that's the crux of what we need to talk about. However insignificant the breach, the fact that the company had a breach becomes a tagline and in fact, in many RFQs that we get for our business, the constant question is always "Have you ever had a breach and if so, when?" so you would be effectively tarred for a long, long time with some sort of breach issue.

Ian Hepworth:   2:16
Yes, I tend to agree. I think the way in which business' customers perceive the reputation of the business has become all-important, particularly where we are in a modern society with a much greater cyber footprint for everybody with the advent of social media and the ability for information to disseminate in the rapid manner it can. So, therefore, anything that happens can be disseminated and sent out to a very large number of people in a very short space of time. That reputational risk is so easy to basically transpire as something potentially even bigger than it possibly was. But it is actually there and nonetheless causes a major issue.

Stephanie Jones:   2:55
I agree completely. Do you feel that this threat is involving over time and if so, how?

Andy Gascoigne:   3:00
I think it evolves naturally, I think there's always going to be basic ingress method which is basically BEC (business email compromise) - fact that a fishing email is sent. What we're seeing now is a more subtle approach. So rather than the scatter gun, not necessarily a targeted approach, the scatter gun approach that was happening previously you now see individuals singled out again, as Ian mentioned. Social media has a lot to play on that - effectively people know a little bit about someone before they then contact them.  The business social media aspects are more dangerous in that aspect, from my perspective, because it identifies people, what the job function is, who their colleagues are and so on. It's then easy for an attacker to form a conversation with this person and try to gain their trust before launching into any specific kind of attack

Ian Hepworth:   3:55
Yeah, I think you're absolutely right there, Andy.  The evolution of it is definitely come with the more prevalent and more widespread use of social media and with that, the more awareness that the general public has of their own cyber security and their own image and presence and the way that they're perceived online. You know, there is a lot made of the celebrity culture, I suppose, to some degree, but that that is only an extension of what happens across the business and personal space. So that whole wider view of everybody's digital footprint means that the risks associated with anything that could be exploited are exponential based on the size of that growth.

Andy Gascoigne:   4:41
It's definitely something that is on the increase. I think the technology that we use has to keep pace with that. So we find ourselves moving away from the traditional sort of signature based anti virus tools that we used to use, where each file, as you probably know, has its own identity, its own signature or hash and traditional AV software used to effectively look for their identity and flag it as being a potential issue. What we use now is these systems called EDR, (endpoint detection response), behaviour analytics. So it's looking at what a person normally does in their day to day activity and is that different? So is suddenly someone doing something that's out of the norm on a different place, maybe, or just executing code that they perhaps would never do and that's an evolving technological advance that we're using.

Ian Hepworth:   5:39
Yeah, I think there's also an element of the fact that there are targets. Your company, and Ideagen is one of them for certain is that you're not targeted for who you are, but you're targeted for who your customers are and who could be exploited potentially on your behalf. So you have a greater responsibility and then therefore have a greater need for better tooling processes and teams to be able to ensure that what you're not doing is you're not exposing data that isn't just yours, but you've got a responsibility to maintain data for customers. And that's quite often how companies target smaller IT firms and smaller software firms that potentially win deals with large, customers.  As Andy said, we have some very large customers and we are a large business as well, but we are constantly asked the question in RFPs around cyber security and smaller businesses are generally targeted for their customer base, not necessarily for their own information.

Stephanie Jones:   6:34
Yeah, I think that's a really good point Ian and Andy and the fact that the size of an organisation can impact the vulnerability to these cyber attacks, so I think that that's a very good point. So what do you feel are the most prominent emerging cyber risks today?

Andy Gascoigne:   6:51
I think there's an evolvement, as we already mentioned of existing risks that have morphed a little bit or just changed somewhat. People continue to be our greatest asset, but also one of our greatest risks. And the need to get things done, the need to move quickly, to answer that email or whatever it is, can sometimes still become an issue. As I mentioned earlier Business Email Compromise (BEC) is the most effective way for an outsider to gain entry into the organisation with a simple fishing, usually targeted, so spearfishing, or to use another term for CEO fraud, which is Whaling, when going for the big fish. It's always going to be the case that if you gain some sort of trust, typically it's conversational. So it starts off with, Hi there, can you help me? How are things? Again Social Media takes a part in that because people can learn what your type of language is, how you would normally speak from the posts that you may put out there. It sounds like this is an awful damning exercise on social media - it's not all bad, but it's just that it gives attackers an initial kind of point of contact that they can leverage. Other things that I see more so happening are continuing in different forms. We've've seen a lot of cities shut down and large organisations targeted - some people paying the ransom, which is an interesting tactic in some cases. While typical advice is to never pay the ransom, paying the ransom has seen some people get back their business quicker. So it becomes a credible, if not a unusual, tactic to adopt. I certainly wouldn't advocate for doing that, but in some cases, when all else fails, people will feel that that is all that they could do. A slightly different spin on the Ransomware attack is crypto mining. So this is something where you see a typical similar Ransomware attack. Instead of looking files down and doing something malicious that you would notice, it would effectively set a small process running, which would just mine Bitcoin or some other currency that can then remain undetected on your PC for a long, long time. And it's because it's not causing any particular downtime, you may just notice your PC running a bit slower. It's not reported very often - there's a big upturn in this kind of attack. Lastly, the only thing I have noticed that is more prevalent is denial of service attacks, which were a similar thing to crypto mining in that it's a reduction on service so it is stopping what you're doing what you need to do. Therefore, it goes unreported more often than other types of attacks. Effectively its an IT problem, it's something that's a technical issue rather than necessarily being reported as a cyber issue.

Ian Hepworth:   9:59
Yeah, I completely agree. I think that the people side of things is absolutely correct. You have a distributed workforce, and you have people willing and able to access company and corporate information potentially on personal devices. Or, you know, the terminal that sits in an airport lounge. You think I'll just go and check my email on the Webmail or plugging your phone into a USB port thinking all you're doing is charging it. You know there are many and more sophisticated ways that cybercriminals are using to get access to information. And it's more increasingly about not just getting necessarily one key piece of information from one person or one location. It's about constantly mining huge amounts of data from multiple locations, and bringing that together and making the sum of those parts something that equals something they can genuinely use. Be that for cyber blackmail or be that for getting information and putting things out there. And I know it's going to be a social media thing again, which I know Andy we shouldn't really necessarily bang on about too much. But I see a lot of posts on social media where you get people answering questions - What's your favourite colour, your date of birth, your year of birth and your star sign. What people don't realise is that these are actually put out there as sophisticated cons because people put out 15, 16, 17 different surveys and before you know it, what you've done is you've given all of the personal information that you are asked for whenever you go and ask personal questions. Your mother's maiden name, your date of birth, your favourite colour, your first school, your favourite car, where you grew up - these cybercriminals getting very sophisticated and putting things out there that seem very innocuous, but give them a mine of information on an individual from the tone of voice in which they write posts, the secret answers that they give to questions and the potential passwords they might use. All of a sudden, they've got this trove of information that they can start to concatenate on and build something that allows them to perpetrate a breach.

Stephanie Jones:   12:01
Yes, those surveys are very tempting, especially when we all spend so much of our time these days on social media and you see those all the time pop up, so I completely agree with that, and I think that Ian, Andy and myself, we all agree that this is certainly a top risk and something that needs to be addressed. As I mentioned at the start of this podcast, a very high percentage of the chief audit executives agree with that, however, the North America Pulse of internal auditing report identifies that there is a significant gap on the part of internal auditing when it comes to this. Some of the statistics that we found -  only 46% of the Pulse Report on the survey said that they deliver extreme or significant effort over the readiness and response to cyber threats, but 82% said that they should!  So, what do you believe can be done by internal audit to ensure that internal auditors are providing that necessary support to address these cyber security threats?

Andy Gascoigne:   13:13
I think it's just a really good point and it's a difficult one, because how do you measure significant? It's very subjective, from one organisation to the next. We adopt a maturity model , a capability maturity model which highlights different areas of security posture. Looking at things, not just technology but that is one of them, but process, the methodology, reporting, the people element, what do we do about staff, do we train them, do we train the cyber team as well as the general staff? And then the Business, which is one of the drivers. What do we actually need to achieve? What is significant from that perspective and the customer, so both sides of that and also services.  So we're looking at things like threat management and security monitoring services, external services, penetration, testing of the applications. We measure each one of those things against a given number of criteria - there's five main elements. There's a crazy kind of star diagram, so you can immediately see at a glance which one you're quite strong in and also where you need to make some improvements. I think that internal audit can leverage that to perform an internal audit based on how the business would expect the cyber teams and the business in general to be performing. Assess it against real world necessities.  We do it ourselves, but it needs an external, as in external to the team -  influence.

Ian Hepworth:   14:51
Yeah, I think you are quite right again Andy. I think that one of the major areas that an internal audit team or an audit in general can help raise awareness and make sure this is front and centre. Make sure that there is a lot of collaboration with cyber security teams in general, across organisations and across multiple organisations, across the verticals to make sure there is some consistency in approach and making sure that what those audit processes do is they highlight where the weaknesses are and the only way that the internal audit teams will understand what those weaknesses are is by talking to people and talking to the teams and working collaboratively with those that do know, making sure of that awareness and making sure that that understanding is brought out as part of the audit process and highlighted at a senior enough level and I can't stress that enough. You know, I'm a technology professional and I'm a senior technology professional, but I am still very much reliant on my teams and the people within the organisation to tell me where the issues lie.  Ideagen is a very large distributed company, we've got over 500 employees worldwide. I've worked in much larger organisations and ultimately you can't know everything and you are reliant on people to actually be able to tell you what it is they see as exposed issues. And people can only tell you what they are if they're aware of what those issues might look like. I think a big important role of internal audit when they go across an organisation is to make sure that what they're doing is auditing those things so that awareness can be raised at a senior enough level so it can be actioned.

Stephanie Jones:   16:21
Yes, I completely agree with that and Andy going back to something that you said about training, as an employee of Ideagen,  I have taken our cybersecurity training and it's definitely helped, and I can attest to the fact that we do that here at Ideagen. I think that's something that internal audit can include in their audit plan as part of a cyber security audit, making sure that companies are training their employees, checking for compliance to that training and like you said, just collaborating. I think cyber security overall is an area that some of the subject matter expertise exists within the technology department. And so if the audit team doesn't have that expertise, we do rely on the technology folks to help provide that. One thing that you mentioned, Ian that particularly stands out to me is just the fact that internal audit does have that visibility too and that opportunity to share and to highlight areas and get the attention of the board of directors and the attention of senior management. So if there are issues, then it's just another way for the company and more muscle and reason for the company to act on some of those items.

Andy Gascoigne:   17:46
Definitely, and I think it stops as well at sometimes a technology team could maybe focus on a technology area. It's a natural focus for a tech team to do and we just need to have that measured so that you know, we don't lock all the doors, batter them down, then find we've just left the windows open.

Stephanie Jones:   18:05
Very good point. There are different audit programmes out there that internal auditors today can use. I know there's a NIST framework that can be utilised that's available to internal audit and again, just to provide another perspective that maybe we can even point out something that the technology folks aren't looking at or to compliment things that are being done.

Ian Hepworth:   18:27
Yeah, that's interesting, actually, Stephanie, because there's another point as well, that although the cyber security teams like Andy's team, who are very good and very diligent and even myself at the level I'm at, we won't necessarily know what pieces of data, to some degree, represent risk to the business. So there's a responsibility for the audit teams that have got much more awareness or contact with those business units to ask the question -  what data genuinely represents a risk or what areas or what things generally represent a risk if they were to get out into the wider world and make sure that those are things that then come back and are monitored and understood and managed because the technology teams, the cyber security teams are not necessarily subject matter experts in the day to day activities of what the business does and necessarily understand completely where all those risks may lay, so there's a responsibility for the business to ensure that they are communicated as well.

Stephanie Jones:   19:20
So do you feel that there are any opportunities for growth for businesses as result of having these effective cyber security measures in place?

Andy Gascoigne:   19:31
Definitely. I mean, there are several ways that that would work, one of them which Ian touched on briefly as well is this holistic approach and being open and transparent, being seen to be an organisation that's doing the right thing. If you are sharing and collaborating with other organisations, not just other teams, that adds to a reputational awareness of the organisation. People sometimes forget that if someone attacks your organisation, you are the victim of a crime.  Okay, you may not have put the seatbelts on, which is where issues can arise if you're not technically doing things properly. But sometimes things happen even with the most appropriate amount of security in place. I think that being seen to be open and transparent about what you're doing to collaborate with others, obviously you can't divulge confidential information and having a plethora of customers, neither of those would wish us to divulge anything pertaining to them. So we have to measure the fact that we can't divulge as much as perhaps sometimes you would like, but also make sure that we are as transparent as we possibly can and engage with people about this.

Ian Hepworth:   20:47
Yeah, I think as far as opportunities for organisations go, if you are public and open about the fact that you are very engaged from a cyber security point of view and you make a point of it and you do that with your customers and you do that with your business internally and that's a message that gets out there and you are doing that as a leading light in whatever vertical it is you might operate in then that gives you the ability to have a commercial advantage. So there is a genuine commercial angle and advantage to being more aware, displaying that awareness, managing that awareness, being open and honest with your customers about when potential issues occur, how they're managed and what you do about it and working with them to do it, rather than trying to sweep things under the carpet and hope it doesn't get out. So I think the open and honest transparency approach with your customers and with your internal teams offers a business and commercial advantage just by being a better cyber citizen for want of a better phrase.

Stephanie Jones:   21:51
Yeah, I agree with that completely - that openness and transparency. We all know large companies and companies that we trust that have still had breaches. Do you feel that if a breach does occur, regardless of all the defenses and all the different measures that you can take to try to prevent one, but if it breach does occur, then it sounds like you both agree that there are opportunities, even to position ourselves as a company to regain that trust and to maybe even come out on top.

Andy Gascoigne:   22:27
Definitely. I mean, it's the case of the matter that you are learning all the time about these things and the best point to learn is when something really is happening. You don't necessarily want to be in a training exercise at that point, but you do learn from what happened - revisit it and have a retrospective, look at what you could have maybe done differently and take input from all manner of organisations that can help you with that. Also work with your customers for feedback on how the issue was handled.

Ian Hepworth:   23:02
Yeah, completely. I mean, speaking personally, I use a couple of online services and a couple of capabilities in the technology space that I know have had breaches in the past. But I have also been very keen to look at their response to those breaches and what changes they made post breach and the way in which they managed that and the way in which they communicated the changes in which they implemented because it gave me the confidence of, obviously in a reasonably better position of knowledge than perhaps a lot of people might be to make those decisions. But they gave me the confidence and knowledge to turn around and say You know what? I'm actually more comfortable using their product now than arguably I was previously, which might sound strange, but it's genuinely true.

Stephanie Jones:   23:42
Yes, I agree with that. And on the flip side, if someone does sweep it under the rug and you find out about that later, then that also sends a message.

Ian Hepworth:   23:52
It does and they will never get my business again and I'll go to competitors. So the way in which these things are dealt with, the way in which companies take a responsible attitude to dealing with cyber security, even in the event of an adverse incident, I think is remarkably important. In fact, I would almost say paramount,

Stephanie Jones:   24:11
Yes, completely agree. And that's also reassuring as a company, if something does happen, it's not the end of the world.

Ian Hepworth:   24:19
No it isn't!

Andy Gascoigne:   24:19
Definitely, I think if you can illustrate the fact that what you did was appropriate levels of significant effort or you've done the right thing, as Ian said previously you are the victim of a crime and if you take all appropriate measures. You can secure something so that its unmovable, but that's not appropriate. You know, we need to be able to function as a business. We need to be able to thrive as a business. We don't want to have things put in the way that they would block that so we have to temper the fact that we can't do all the things that will be supremely secure because it just wouldn't work for us and you just need to illustrate that properly.

Stephanie Jones:   24:57
I love what you both mentioned about the collaboration with internal audit to ensure that the audit team has in their audit plan on a pretty regular basis to look at the cyber security team, the training, asking the right questions and constantly improving the internal audit knowledge around cyber security and making sure that we're helping also. And if things do emerge if there are things and actions that need to be taken, then again, internal audit has the ability to bring that to the attention of management, to the board, to put that in an audit report and internal audit typically has the action tracking mechanisms in place to ensure that things are being addressed that need to be addressed. So certainly is a collaboration and where we can partner and we each bring our strengths.

Andy Gascoigne:   25:57
That's right. It's something you touched on very well, before Ian, that aspect of asset management. The focus a tech team may have may differ from what internal audit can look at because they have a more holistic approach of the business in general and the asset management - what are the key assets, you know the things without which the business really couldn't function. What are they? Where are they? And who looks after it and responsible for them and those are the things that really need to be protected very, very carefully.

Stephanie Jones:   26:26
Before we sign off any final thoughts around this topic or anything that we did not cover that you wish to mention.

Andy Gascoigne:   26:33
The only thing I can think for the moment is about testing the plans that we may have. So we produce an awful lot of plans and response programmes as to how he would deal with issues - testing those is the only real way that we're going to learn effectively without being under the extreme pressure for a real life situation. I think we need to focus on engaging with internal audit with that as well to assess just how did that go from an external perspective, what was covered again? What could we really do better? How could we engage with different teams in a more appropriate manner and just keep on testing it and even into the situation where you have a sort of red team blue team. The people don't know that they're actually being assessed or tested. Sounds awful. You don't want to put people under the pressure of a test, but it's better than the pressure of a real life incident. So I think that's something that we need to look at.

Ian Hepworth:   27:27
Yes and to build on that. I think its constant communication and collaboration. I think the internal audit teams need to genuinely appreciate that this is not a once a year or even once a quarter thing, potentially, that they need to keep up with what's happening, what are the emerging threats, what's their feedback into the cyber security team? This is a constant revolving door of change and you know the footprint widens, the risk widens. So therefore it's not something you can approach lightly - 'oh it's February. let's update our cybersecurity internal audit process'. You know, this is something that needs to be managed and constantly tested. Collaborated on to make sure that both parties are aware of each end of the spectrum as they need to make sure that the business is protected and able to respond when something inevitably in one way, shape or form occurs. It genuinely is something that needs to be managed as an ongoing exercise, and I think that's one of the biggest messages to get out there.

Stephanie Jones:   28:28
So internal audit can provide that real time assurance that things are being looked at as appropriate.

Andy Gascoigne:   28:37
Yeah, it must not be a box ticking exercise, which so often it can be and I think the constant evolving nature, which is where we began this discussion, means that we have to constantly look at how we inform and train individuals without it being seen as a chore. There's always going to be some friction, however not long ago, the walk into an airport detector was seen as being a massive inconvenience. Now it's just something we do every time we go. You don't question and we have to get to that level of accepting that there will be a little bit of friction but making it work for you.

Stephanie Jones:   29:14
It's a very good point. Well, thank you both for joining me on this podcast today. I really appreciate your time. I think you brought up some really great points and certainly given me some things to think about and hopefully the internal auditors that are out there some things to think about as well. So appreciate both of your time and thank you for being a part of this podcast.

Ian Hepworth:   29:37
Thank you, Stephanie.

Andy Gascoigne:   29:38
Yes, Thank you, Stephanie.