- Business Risk and Resilience
- Technology and Cyber Risk
This article is a part of Risk Update 4.
As we enter a new financial year, it is a good time to take stock of the key technology trends relevant for many organisations and aligning your IT control assurance plans around these trends.
Setting context: 5 current technology trends
1. IT services are being delivered and secured remotely
Looking ahead to a post-COVID world, remote working in one form or another is likely to be a permanent fixture. In order to rapidly adapt in 2020, many organisations had to fast track remote technology arrangements including rolling out new teleconferencing software, changing VPN configurations, implementing processes to remotely provision and support devices and more. It was not uncommon to hear “what would normally take us 6 months got done in 4 weeks.”
Given the speed these changes were implemented, it would be prudent to retrospectively check that the appropriate governance and security controls are in place for these arrangements.
2. The cloud may be taking over, but there are shared responsibilities
Cloud transformation is at the core of almost every organisation’s IT strategy and has been for some time. It has been nearly 6 years since APRA published their initial information paper for regulated entities outlining their expectations for adopting the use of cloud computing services. As such, by now most financial institutions have put in place repeatable processes for upfront and ongoing due diligence over the these arrangements. However, as more and more critical services are being migrated to the cloud, it is vital that there is continued clarity on the shared responsibility model and investment in supporting infrastructure, such as identity and access management services and integration of security logging and monitoring.
3. COVID-19 has accelerated the already rapid digitisation of products and services
The business models for many organisations were completely transformed in 2020. A global survey of executives by McKinsey found that in the first 6 months of the pandemic, across all continents and industries, the average share of products and/or services that are digitised increased by 60%1, which would usually take over 7 years to achieve. Now more than ever, the greatest risks to a company’s assets are no longer physical – they are digital. Intangible assets represent an increasing portion of balance sheets and make up over 90% of the S&P 500 market value 2. To a large extent this is a combination of both software and data.
4. Cyber attacks are increasingly targeted for the purpose of financial and political gain
The perception of a typical hacker has historically been a bored teenager in the back room of their parent’s house using known tactics and exploits (a so called “script kiddie”), largely for entertainment or bragging rights. However, there has been a significant shift in recent years towards targeted attacks orchestrated by organised crime groups seeking financial gain as well as state-based actors for the purpose of political gain through espionage, retaliation, intimidation and destabilisation.
Ransomware is a common and high impact attack carried out for financial gain. It is also increasingly coupled with exfiltrating sensitive data and the threat of public disclosure. Another common threat is financial fraud, for example where an attacker changes staff or supplier bank details to redirect payments. This is often achieved through business email compromise and/or social engineering.
State based attacks have become incredibly sophisticated, often targeting the control or disruption of critical infrastructure or organisations such banks, universities, utilities, hospitals etc. Sometimes these attacks are covert, for example to gain access to valuable intellectual property. Other times they aim to disrupt, for example by gaining access to industrial control systems.
5. Heightened regulatory and compliance focus on security risk management
Across government, industries and supply chains there is a focus on strengthening the requirements and expectations of robust security risk management practices. The Australian Cyber Security Strategy 2020 charts a roadmap for regulatory reform that aims to clarify the cyber security obligations of both the public and private sector. As such, it appears likely there will be further significant change to the regulatory requirements across a wide range of industries over the coming years.
Key recent and emerging regulatory highlights:- Security Legislation Amendments (Critical Infrastructure) Bill. Likely to be legislated in 2021 and will impact a broad range of industries. - The Corporations Act contains broad obligations for risk management particularly for financial services. ASIC launched a landmark case in 2020 related to cyber risk failings at a licensee. - APRA CPS 234 (Information Security) applies to financial institutions. Tripartite independent security reviews are currently underway. - CORIE framework which sets the Council of Financial Regulator’s requirements for industry-wide cyber resilience exercises. It is currently under pilot. - SWIFT Customer Security Program for financial institutions recently updated control requirements for 2021. Failure to comply may be publicly disclosable.
Building the plan: 5 control areas for focus
Whether planning controls to uplift as part of your cyber security or technology risk roadmap, or control areas to assess as part of your IT Audit Plan or Control Assurance Plan, the following areas, shaped by current technology trends, are worth considering.
Data Protection and Privacy
The immense volume of data being stored and processed means identifying and classifying it is an important first step to effectively governing and protecting it, regardless of whether it is hosted on premise or in the cloud.
Indicative controls:- Information classification and inventory - Data governance framework - Privacy framework - Data loss prevention - Encryption - Identity and access management - Background screening - Staff training
It is inevitable that IT systems will be compromised. Being able to detect and respond in a timely manner is critical to minimising the damage and meeting regulatory obligations. The ability to recover is the last line of defence, particularly in the case of ransomware.
Indicative controls:- Vulnerability management - Logging and monitoring systems (i.e. SIEM) - Threat intelligence - Security incident, breach and crisis response planning and testing - Backups and IT disaster recovery
Cloud Governance and Security
Implementing cloud solutions requires careful planning and due diligence to ensure they are fit for purpose. Ongoing monitoring provides continued assurance they remain fit for purpose and that unmanaged solutions aren’t introduced.
Indicative controls:- IT architecture, planning, and procurement processes for cloud solutions - Project governance and delivery controls over major cloud programs - Third party risk management and assurance processes, with sample testing for key cloud arrangements - Technical controls for preventing, detecting and securing unsanctioned cloud use, such as use of a cloud access security broker - Processes for managing use of unsanctioned cloud solutions
Corporate technology and endpoint management
Remote working has changed how endpoints and corporate technology are secured and serviced. It is important that there is a balance between convenience and security given corporate technology is a central part of the overall employee experience and the gateway to the organisation’s digital assets regardless of where they are hosted.
Indicative controls:- Secure configuration of devices - E-mail and browser hardening - Benchmarking of endpoint configuration against control frameworks (e.g. Essential 8, CIS) - Technical controls in place over remote access methods (e.g. Citrix, VPN) - Mobile Device Management controls - Endpoint detection and response - IT request and incident management - Device imaging and build processes
Software development, including DevOps
The ability to rapidly develop, test and deploy software that is robust and secure is essential to delivering digital products and services that meet customer and community expectations.
Indicative controls:- Definition of requirements - Software engineering practices, such as code management, peer reviews, and secure code scanning - Functional and non-functional testing - Agile processes and practices - Change and release management
Other takeaways and reminders
Don’t forget the other key building blocks to factor into your IT assurance planning:
- The current IT risk profile
- Technology and Cyber Security strategies and roadmaps
- Major IT transformation programs underway
- Related assurance and compliance activities.