Are you prepared for cyber attack?

The final months of 2022 reminded us all of the importance of how quickly things can go wrong in the event of a cyber security issue. Recently, a number of high profile data breaches have had serious impacts for individuals affected, as well as longer term reputational and financial consequences for the organisations targeted.

No matter if you are in a public or private, large or small, or not for profit organisation, cyber risk is now surely front of mind for all. Boards and management teams fortunate enough not to be directly impacted are looking across nervously and asking: “what would we do if that happened to us?” If they have not been asking that, then their shareholders have in the recent AGM season.

To help frame your risk management responses to this challenge, some ideas and thought provokers are set out below.

Where to start

• Ask yourself, “do I know what sensitive information is, and how to identify it?”
• Then, consider what sensitive information is stored, for how long, where, and for what purpose
• Ensure external facing data/application interfaces (APIs) are well protected by implementing strong authentication, business logic and monitoring mechanisms (such as application reviews, regular vulnerability scanning, application firewalls, audit logging and alerting, for example)
• Ensure anomalies (such as increased data flows) can be detected and tested
• Ensure strong multi-factor authentication
• Consider the complexity and evolving nature of cyber incidents when practicing incident response drills (allowing for effective external and internal communication).

If this is already sounding too technical, then it is time to ask for help.

Managing cyber risk is a team sport

I recall attending a global internal audit conference back in 2016 and one of the key takeaways even
then was that cyber was a non delegatable risk for a CEO. The recent troubles of those suffering data breaches emphasise how that is still the case.

Yet often when the topic of cyber comes up, it is tempting to turn towards the CIO or the IT team
and say “over to you”.

Those days are gone, and it is important that training, awareness and reporting takes place now at all levels of an organisation.

At a basic level, password protocols and not clicking on suspicious links are just the starting
point but remind us that in simplest terms, cyber breaches are theft and just as in a physical
setting, everyone has a role to play in not making it easy for someone to break in.

If you don’t check, how will you know?

As well as being an internal audit topic, cyber and IT risks are increasingly a focus for the external audit community, which is now required to build upon existing work on IT general controls to include a broader and deeper understanding of how IT systems, processes and controls operate in relation to the preparation of the financial report.

A revised auditing standard 315 challenges auditors to robustly assess the risk of material misstatement from the perspective of how the IT environment supports the operation of controls and the integrity of data.

Now is a good time to consider how your assurance plan is providing your organisation with a timely, proactive and contemporary insight into your cyber risk preparedness.

Conclusion

Within the constraints of a short article such as this, a slightly pessimistic thought is that the recent cases tell us that no matter what you are doing, you can always do more. The ideas above hopefully get you started to help prepare for what your public response or disaster recovery plan would look like. Once you have that then as with all good risk management, test it, practice it and improve it.

PKF’s Risk and Cyber teams work alongside PKF Audit & Assurance, and are available to help you build a proactive and considered plan to test, before it is too late.