With cyber security issues on the rise, it is not possible for an auditor to say that information security these days is either ‘effective’ or ‘adequate’.
Before I confess, I want to share a recent and valuable report from Verizon. Their 2018 Data Breach Investigations Report has a depth of valuable information that merits the attention of every practitioner.
The Summary of Findings includes these observations:
- 73% of breaches in the last year (of which Verizon is aware) were perpetrated by outsiders, while 28% involved internal actors
- 50% were carried out by organized criminal groups
- 12% involved actors identified as nation-state or state-affiliated
- 58% of the victims were small businesses
- 24% of breaches affected healthcare organizations
- 76% were financially motivated
- 68% took months or longer to be discovered
The extensive report analyzes breaches by type as well as by industry sector.
Another report that merits our attention is PwC’s The Global State of Information Security Report 2018. PwC has different numbers about who is responsible for security incidents, saying that 30% are from current employees, 28% from former employees, 26% from unknown hackers, 23% from competitors, and 20% from current third parties.
I tend to believe more in the Verizon report (just a feeling rather than being based on any data).
The only surprise for me in the PwC report is the assertion that competitors are the source of 23% of security incidents.
I like and recommend a McKinsey article, A new posture for cybersecurity in a networked world.
It has both useful information and excellent recommendations.
- 75 percent of experts consider cybersecurity to be a top priority. That’s true even of industries like banking and automotive, which one might think would be preoccupied with other enormous risks that have emerged in recent years.
- But while awareness is building, so is confusion. Executives are overwhelmed by the challenge. Only 16 percent say their companies are well prepared to deal with cyberrisk. The threat is only getting worse, as growth in most industries depends on new technology, such as artificial intelligence, advanced analytics, and the Internet of Things (IoT), that will bring all kinds of benefits but also expose companies and their customers to new kinds of cyberrisk, arriving in new ways.
- A global insurance company’s experience indicates the potential. It budgeted $70 million for a comprehensive cybersecurity program. One year later, only a fraction of the planned measures had been implemented. Business units had put pressure on the IT department to prioritize changes they favored, such as a sales campaign and some new reports, at the expense of security measures, such as email encryption and multifactor authentication. The business units also took issue with the restrictions that came with cybersecurity measures, such as the extra efforts that went into data-loss prevention, and limitations on the use of third-party vendors in critical areas.
- The US government has identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.”1Worldwide, the threat from cyberattacks is growing both in numbers and intensity. Consider these figures: some companies are investing up to $500 million on cybersecurity; worldwide, more than 100 billion lines of code are created annually. Many companies report thousands of attacks every month, ranging from the trivial to the extremely serious. Several billion data sets are breached annually. Every year, hackers produce some 120 million new variants of malware.
- …despite all the new defenses, companies still need about 99 days on average to detect a covert attack.
Their recommendations include:
- Cyberrisk needs to be treated as a risk-management issue, not an IT problem.
- Companies must address cyberrisk in a business context.
The only problem I have is that McKinsey continues the traditional approach of assessing risk to information assets rather than to enterprise objectives.
Now to my confession.
In all my years as an IT auditor and then a CAE, I cannot recall ever assessing information security as being ‘adequate’ or ‘effective’.
There has always been at least one issue that was significant.
For example, I remember that one company where I was responsible for IT auditing relied on security software and mechanisms provided by HP for their HP3000 computers and Image database systems.
The vendor had told management that their systems were secure.
I didn’t think so and met with the CIO to share my views. His response was that I didn’t have evidence that was persuasive for him – given the assurance he had received from HP.
I asked for and received his permission to try to ‘hack’ the system myself. I would do so without any special knowledge, just access to a business user’s laptop (mine).
A week or so later, I showed him a list of userids and passwords I had obtained. I had found one weak point and from there navigated my way to a security file.IT
Why share this confession?
I don’t think it is possible for any auditor ever to say that information security these days is either ‘effective’ or ‘adequate’.
The best they can say is that it appears reasonable.
Reporting that it complies with a standard or is consistent with guidance in a framework doesn’t work for me.
It would not satisfy me if I was on the board.
Does this mean that we should give up auditing information security and the management of cyber risk?
Not at all.
But we should do so with eyes wide open.
We should recognize the limitations of our knowledge, tools, and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.
We should ask management whether they believe that the risk to the organization from a breach is at acceptable levels and why.
I would be highly skeptical if they said everything was under control.
Then the key is to see if they have thought everything through – all facets: prevention, detection, and response – and that the risk assessment is based on the effect on enterprise objectives.
I welcome your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.