IN the days leading up to the Holy Week, it was hard to miss news stories about an ongoing investigation into an alleged money-laundering scheme, reportedly the biggest case ever detected in the country. Considering the many versions of what happened that have been told so far, it’s beginning to look like a mystery thriller, with more and more personalities and institutions involved coming out of the woodwork as I write this.
But one thing that has been established is this: the money in question was illegally moved from one account to another through cyberattack.
Cybercrime is forecast to possibly cost businesses more than $2 trillion by 2019, which is nearly four times the estimated 2015 expense, according to a study by market analyst Juniper Research.
As we become increasingly dependent on digital platforms that are oriented for sharing—internet, cloud, mobile, social technologies—the threat from cyberattacks will continue to increase and evolve. So, too, will the requirements to protect our data.
Traditionally, business units and the information technology (IT) functions serve as an organization’s first line of defense against cyberattacks as they jointly integrate cyber risk management into day-to-day decision-making and operations. The second line involves IT risk management leaders, who establish governance and oversight, monitor security operations and take action as needed.
Internal audit: a third line of defense
There is a growing trend of establishing a third line of defense: internal audit (IA). IA protects an organization by conducting an independent review of security measures and performance. It is also tasked with keeping the audit committee and board of directors abreast of the controls for which they are responsible—ensuring that these are in place and functioning correctly.
In an article entitled “Cybersecurity and the role of internal audit: An urgent call to action,” Deloitte provides a framework that IA can use in executing this function, that is, in assessing an organization’s cybersecurity and strengthening its defenses.
As a starting point, IA should ask these three key questions:
Who might attack? Are the perpetrators criminals, competitors, third-party vendors, disgruntled insiders, agenda-driven hackers, or someone else?
What are they after and what business risks need to be mitigated? Do they want money or intellectual property? Is their goal to disrupt business or ruin the organization’s reputation?
What tactics might they use? Will they go phishing, test system vulnerabilities, use stolen credentials, or enter networks through a compromised third party?
Threats identified through these questions can then be addressed with the help of this three-pronged approach identified by Deloitte Advisory:
Secure. Most organizations have established controls such as perimeter defenses and data protection to guard against known and emerging threats. Risk-focused programs prioritize controls in areas that align with top business risks.
Vigilant. Threat intelligence, security monitoring, and behavioral and risk analyses are used to detect malicious or unauthorized activity, such as unusual data movement, and help the organization respond to the changing threat landscape.
Resilient. Incident response protocols, forensics, and business continuity and disaster recovery plans are put in place to recover as quickly as possible and reduce impact.
In the Deloitte article (which can be downloaded in its entirety here: http://www2.deloitte.com/us/en/pages/risk/articles/cybersecurity-internal-audit-role.html), there is a detailed cybersecurity assessment framework based on the Secure.Vigilant.Resilient.™ concept that lays out 12 security domains. Space constraints prevent me from detailing those domains here, but IA can use that framework to understand the organization’s capabilities within each domain and check if security gaps exist.
In addition to this framework, there are other factors IA professionals should keep in mind when conducting a cybersecurity assessment.
First, it is important to involve people with the necessary experience and skills. While IA has the know-how to conduct an assessment, these professionals may not be in the best position to determine whether the IT department is doing a robust job of threat modeling, for example. It may help to bring in a tech-oriented audit professional who specializes in the cyber world.
Second, IA should evaluate the organization’s full cybersecurity framework. This involves understanding the current state and where the organization is going, and benchmarking against minimum expected cybersecurity practices across the industry.
Lastly, IA’s initial assessment should be a broad evaluation, not an exhaustive analysis requiring extensive testing. IA can look at it as the first step toward additional, more detailed risk-based cybersecurity reviews.
As the investigation into the money laundering scheme involving one of the Philippines’ largest commercial banks intensified, the rest of the country’s financial sector did some probing as well: leaders openly talked about taking a closer look into their own controls. I’m not privy to what kind of reviews and testing our big banks are currently conducting in the wake of this controversy, but I hope they are adding that layer of security to their operations and putting their IA professionals to good use. Nowadays, you can never be too safe in cyberspace.
The author is the Enterprise Risk Services Leader of Navarro Amper & Co., the local member firm of Deloitte Southeast Asia Ltd., a member firm of Deloitte Touche Tohmatsu Limited—comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam.Cybersecurity and the role of internal audit