Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Cyber security risks to businesses continue with a growing number of more skilled, well-funded, state-backed, and motivated attackers. The IMF reports that the costs of worst-case breaches have jumped four-fold to USD$2.5bn. Boards are undergoing legal and regulatory pressure to safeguard data, privacy and business resilience. This is most acute in finance, critical infrastructure and listed organisations.
Despite this, reliance on digital systems, and the growing complexity of cyber risks has not been matched with an equivalent increase in executive understanding. Boards often consider cyber risk to reside in the domain of experts. A delusion that can persist right up until they suffer an attack and learn the consequences. Businesses need sufficient controls in place to prevent breaches as well as being able to deal with them when they occur.
Traditional manual, compliance-driven audit approaches are obscuring boards’ visibility of these issues. They are failing to deliver timely, reliable and useful information. Executives are flying blind—making flawed decisions and false or outdated assurances to customers, insurers, regulators and the market. Evidence of this is clear in the torrent of news stories that continue to cover ransomware attacks, data thefts, privacy breaches and service disruptions, even in regulated industries.
Board members are not expected to be experts in cyber risks, but they do need to be aware of them. Significant fines are being levied by the SEC, privacy regulators and courts for compliance failures. The owners of the New York Times were recently fined USD$10m for failing to notify markets about a breach. The potential of sanctions for individuals is also increasing, as in the case of Solar Winds and its CISO (although charges have since been dismissed) and the personal prosecution of the Chief Security Officer at Uber.
Better visibility of system controls, internal front-line operations and partners gives greater confidence in the effectiveness of cyber defences. Businesses receive accurate, reliable and trustworthy audit outputs in other streams of activity, such as financial reporting. However, the same rigour and integrity can be found lacking in cyber security.
Questionnaires are commonly used to assess information technology exposures, especially for third parties. However, they are dependent on the knowledge and underlying motivation of those responding. Even honest responses can contain omissions, biases and misconceptions. They are particularly onerous for organisations with many suppliers or business units, where separate questionnaires need to be “stitched together” for an adequate picture of the risk.
Interviews with front-line teams and checks on processing records are often part of manual audits, but the picture is often no clearer. Selection biases in sampling, a motivation to convey positive views, and gaps in knowledge, are common. Worse, the workload for both auditor and auditee is not reduced.
An industry has emerged to address this. It uses similar methods to those of attackers to gather system information and find weaknesses to exploit. Using complex tools and deep expertise from specialist companies or in-house teams, delivers a high level of transparency. The technical complexity makes it costly and the results can be difficult to understand for some IT team members, and non-specialist board members.
IT teams need detail – system identifiers, configuration settings, specific changes – while executives need outputs that relate to changing business risks. These depend on many factors including system roles, business plans and legal undertakings. Long lists of technical issues and low-level findings don’t help.
These approaches, each individually flawed as they are, suffer from a further collective challenge. The effort and cost involved means they are inevitably rolled up into, too infrequent, once-off annual audits.
Cyber security is fast-moving and new weaknesses emerge all the time. Each new user account could be a risk. Each flow of data could expose sensitive information. Every system change could open a route to attack. With boards relying on audits to verify the effective management of cyber security, this situation is fraught. Inaccurate, out of date and opaque reports can quickly lead to bad decisions and false statements on behalf of the business. It is imperative that cyber security audits take place at a greater frequency. Evidence-based data reduces the duration of exposures, giving operational teams and senior managers visibility that previous weaknesses have been addressed.
The transformation of cybersecurity audit through technology provides some hope. It enables businesses to improve the safeguards protecting data and the accuracy of reporting processes. It also hastens the transfer of audit opinions to the board.
Gathering data on configurations, settings, policies and records of operation directly from security management systems has many advantages. It avoids relying on questionnaires, interviewing operational teams or solely on direct outputs from controls. The use of audit technology is easier, more accurate and repeatable. Avoiding reliance on control outputs gives greater independence and is less intrusive than scanning every system for every possible vulnerability to detect security weaknesses.
Besides accuracy, speed, repeatability and objectivity, these technologies also allow reporting outputs to be tailored for different audiences. Operational teams need details of specific corrective actions or settings for individual systems to allow exploitable weaknesses to be rapidly addressed. Executives need high-level information on the coverage and performance of controls to have confidence in the statements they make to their stakeholders.
However, the major advantage of automating audit processes is the ability to operate more frequently; even continuously, to find issues, trigger resolutions and check progress. This avoids obsolete annual cyber audits, and hastens discovery and corrective activities.
The security breach at Australian health insurer Medibank is a cautionary tale. While the matter is still before the courts, one investigation alleges inadequate protection of the business and its information. According to the Office of the Australian Information Commissioner, audits were not acted upon to correct the issues identified. Whether it is enough for an audit report “to exist” for compliance purposes, or if it is to be used to improve security controls, continues to be a matter to be resolved.
Cyber security issues that are overlooked can mean that attacks are inevitable, given their nature and prevalence. Reducing the interval between assessment and mitigation means less time at risk, while continuous checks can reveal failures in remediation processes as well as in controls themselves.
Organisations must do three things:
Boards and internal auditors have much to gain from effective internal audit processes. Likewise, IT operators and managers, benefit from continuous collection and tracking of configuration information and weaknesses. With the impacts and penalties for cyber security breaches becoming more meaningful, and the reputation of both organisations and executives at stake, there needs to be prompt discussion and agreement within organisations to address and manage this issue.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.