1 Unit
CPD technical article
As cyber crime evolves to become more threatening, auditors need to up their game by adopting an intelligence-led approach to cybersecurity
This article was first published in the June 2017 China edition of Accounting and Business magazine.
‘The best defence is a good offence,’ is an adage applied in games and military combat, but the same strategy is increasingly applied by businesses and other organisations to the realm of cybersecurity.
Decades ago, cyber attacks were carried out in the form of mild viruses and spam malware. In recent years they have evolved into a threat that can cause serious financial and reputational consequences.
‘It is logical and encouraging that models to address the pervasive and potentially devastating threat of cyber attacks are evolving,’ says Institute of Internal Auditors (IIA) president and CEO Richard Chambers.
‘The creation of formal security operation centres allows for holistic, proactive approaches to cybersecurity in which all parts of the organisation, including the internal audit function, can support the battle against data breaches,’ he says.
The Quick Poll survey of 130 chief audit executives conducted in June 2016 by the IIA, the Audit Executive Center (AEC) and the Internal Audit Foundation (IAF) found that more than a third of respondents are turning to security operation centres as part of their cybersecurity strategy.
At the same time, a growing number of organisations are recognising that ‘100% protection, 100% of the time’ is unachievable, the report says.
‘Companies at a global level are very concerned about cyberthreats. It is not just the companies but countries are taking the cyberthreats very seriously,’ says Raj Chaudhary, a principal at US public accounting, consulting, and technology firm Crowe Horwath.
While it is good news that businesses are creating formal SOCs, it is the bare minimum. Forward-thinking businesses are going beyond this by applying intelligence in SOCs.
‘It is a burgeoning trend rather than a full-blown trend. It’s not an either or, it’s essentially what you have to do anyway, applying intelligence to SOCs,’ says Ben Wootliff, head of the cybersecurity practice at Control Risks Asia.
‘The SOC is purely reactive. So the way you might react to it is by saying you have identified a breach, let’s respond to that breach. You do it sequentially. The protection might not be predicated on what the motivations are. So it’s based on a compliance-based approach,’ explains Wootliff.
While an SOC is a responsive cybersecurity operation in which analysts focus on working through a list of alerts and launching appropriate responses, a security intelligence centre (SIC) is a proactive cybersecurity operation in which the emphasis is on learning about and anticipating threats, rather than triage and incident response.
‘The SIC is like an SOC on steroids,’ says Wootliff. SICs empower organisations to take a predictive approach, addressing threats before they cause harm rather than reacting to them. This approach is necessary in today’s threat landscape, which is characterised by advanced persistent threats (APTs), requiring a high level of security.
Both SOCs and SICs can be implemented either internally or outsourced as third-party cybersecurity centres.
Unfortunately, many organisations are still putting the majority of their security investments in preventative technologies, for example, SOCs, which aren’t designed to stop every intrusion into this complex, dynamic infrastructure.
‘Companies need to begin thinking about cybersecurity less as a purely IT-managed risk and far more as a strategic business issue,’ says the Consumer Loss Barometer report by KPMG, published last August.
While more than 34.6% of the survey respondents from IIA and Crowe Horwath’s report said that their organisations had already established a formal SOC, while another 10% were considering it, implying that there is still room for audit executives to become more actively engaged.
And the speed of embracing the concept of an intelligence-driven defence approach differs between regions, with most Asian countries lagging behind while their western counterparts are quicker to apply.
‘Asia is still several years behind. Although Hong Kong and Singapore are pretty advanced, intelligence-led approaches against cyber attacks are still trying to catch on. Asian institutions love compliance but they’re not as interested in threats,’ says Wootliff.
‘The Hong Kong Monetary Authority has talked about intelligence sharing. But a lot of organisations still have an SOC-led approach,’ he adds.
The Cyber Security Report 2017 released by Telstra shows that 59 percent of the organisations surveyed in Asia have detected a business-interrupting security breach at least once a month.
‘Businesses in Asia are dealing with unprecedented security and business challenges. Many of these are fuelled by mobility, cloud-based service offerings and the need to have an environment that adapts to the way users want to work and interact,’ explains Neil Campbell, director of security practice at Telstra.
‘Organisations must invest in appropriate security initiatives in order to reap the benefits of innovative technologies, like Cloud and Internet of Things (IoT) devices, as they emerge.’
On the other hand, countries like the UK recognise that cybersecurity is no longer an isolated issue that should be managed by an IT team alone.
‘The Bank of England is moving away from a testing and compliance-based approach to a threat-led one. This implies understanding what threats are out there and how those threats might be manifested. They are taking an intelligence-led approach,’ says Wootliff.
UK authorities have been the first to enact contingency plans after Tesco’s online banking arm had £2.5m stolen, with a total of 9000 customers’ accounts compromised by a cyber attack.
‘It’s not so much going from SOC to SIC, but it is an example of where regulators are telling organisations to apply intelligence to their program,’ says Wootliff.
Many business organisations and auditors will have to discard the idea of relying on merely safeguarding intelligence assets, especially in an increasingly complicated and interconnected business environment.
And that is the way it should be, because cyber attacks cost business worldwide as much as US$450bn in 2016, according to Steve Langan, CEO at Hiscox Insurance.
And while larger businesses may have the resources to weather the damage even in the long haul, for smaller businesses, cyber attacks can be impossible to overcome, with nearly 60% of small companies going out of business following a hack, according to the United States House Committee on Small Business.
A joint study by BMI and Ponemon Institute surveying 383 companies around the world found that the average total cost of a data breach is US$4m, or US$158 per record in 2016.
In the US, the costs are even higher, averaging US$221 per record, totalling US$7.01m per breach.
But it is the aftermath of a data breach through a cyber attack that can be even more devastating.
A survey of 65 companies affected by hacks since 2013, conducted by IT consultant CGI and Oxford Economics, found that cybersecurity attacks shaved off at least US$52.4bn in their share value in recent years.
The same study found that there is ‘significant connection between a severe cyber breach and a company’s share price performance,’ meaning that share prices fall 1.8% on average on a permanent basis for companies that have seen a cyber breach.
According to the same report, financial services companies experience a particularly severe impact from hacks because of the industry’s ‘high levels of regulation, the importance of customer confidence and the potential for financial fraud to be a facet of the breach’.
‘The banking and healthcare industries have personally identifiable information which is valuable to cyber criminals. Life sciences and manufacturing, electric and utilities are certain industries where there is more concern for intellectual property loss,’ Chaudhary points out.
‘It is a conceptual switch that is needed. Cybersecurity should no longer be viewed as a technical issue, but as a business risk issue, an ongoing risk which is constantly changing and evolving,’ says Wootliff.
Haky Moon, journalist
1 Unit