IT risk and compliance functions took an unprecedented hit from the COVID-19 pandemic. Businesses had to expedite the implementation of new technologies and processes to cope with revised working models, leaving many compliance teams faced with re-writing IT standards and procedures.
Prior to the onset of the COVID-19 pandemic, our specialists conducted IT assessments for different businesses in the Channel Islands, which revealed various strengths and weaknesses as you can see in the chart below. There was a high proportion of businesses with deficient controls around helpdesk procedures and monitoring user activity. These two control domains are crucial especially when responding to business disrupting events such as COVID-19 has been. Just like trying to build a house on a cracked foundation during a storm; responding to the pandemic was an uphill task for those businesses with these deficient controls.
Our assessment built on the 2019 evaluation of the IT systems and broadly speaking, businesses have made progress in 2020 covering areas that form the basics of IT security. The graph below summarises our assessment of the 12 IT control categories and provides a comparison between 2019 and 2020 assessments:
As shown on the graph, 34% of the businesses we examined in 2020 did not have formal policies and procedures for incident management. IT teams were managing incidents on a “first reported, first resolved” basis. However, COVID-19 opened floodgates of incidents and demonstrated that this approach was not very effective, nor efficient. Organisations lacking in incident management procedures found themselves drowning in incidents such as users failing to connect remotely, password resets, key business systems down time and emerging cyber threats such as ransomware and targeted phishing attacks.
While most financial institutions have done a fairly good job managing incidents prior and during the pandemic, our experience working with leading banks, asset managers, fiduciary businesses and insurance companies suggests that a number of businesses still have a long way to go in order to fully enjoy the benefits of a structured incident management approach. The problem is not that management are not aware of the risks associated with inadequate incident management procedures nor is it a lack of effort or desire to address these risks. More often, the problem boils down to reduced visibility of incident management at board level.
Looking ahead, it is crucial for businesses to work with IT teams in drafting and reviewing incident management procedures. Internal Service Level Agreement (SLAs) between IT teams and business leadership should be implemented to enable structured prioritisation of incidents. Businesses need to come up with incident management metrics and these should be reported at board level. Additionally, it is key to keep up to date with the cyber threat and risk landscape. A business should continuously scan for any trends in incidents or data breaches and adjust its internal controls accordingly.
Monitoring user activity
33% of the businesses in our 2020 assessment were not monitoring user activity. In as much as this control complements procedures around user access management, it is imperative to perform user activity reviews as this can also be a way to test the effectiveness of your user access management controls.
Clearly, the pandemic triggered a wave of user access management challenges as businesses restructured internally, onboarded specialist skillsets or faced financial pressures leading to workforce redundancies. These challenges were further escalated by some new ways of working introduced as response to COVID-19, such as Bring Your Own Device (BYOD)(which could include home printers, scanners and laptops), which made monitoring of user activities a monumental test for many. Considering how hurried BYOD was adopted by some businesses, no considerations were made to ensure monitoring of users accessing company resources from their personal devices.
While we commend how some organisations have enabled logging on their IT systems, we are seeing instances where system logs are not being reviewed thereby defeating the purpose of logging. Just like having a CCTV system installed in your house and not reviewing its recordings for the period you were away, failure to review system logs may result in any malicious activity going unnoticed. Similarly, any attempted or successful break-ins will go unnoticed if CCTV recordings are not reviewed.
As we continue in the new reality, it is imperative for management to conduct a comprehensive user access review in order to confirm the validity of all the access to its IT system and be sure that there is no unauthorised external or inappropriate access within the system network. Furthermore, businesses should revisit their BYOD arrangements to incorporate appropriate controls for monitoring user activity from personal devices. Decisions should be made about what to log and this should be followed by periodic log reviews to identify any malicious activity and loopholes in the user access management procedures.
Making changes and fixes
Prior to COVID-19, we saw an increased uptake of end user computing (EUC) tools such as SharePoint workflows, Excel workbooks and Access databases mainly in the financial service sector. This is partly because of the flexibility these tools provide. In-house built loan amortisation tools, routines for data reconciliation and consolidation have been playing a pivotal role in closing gaps on legacy systems, but inevitably introduced new risks. What has been thought-provoking is how these in-house tools have been overlooked in the change management procedures.
23% of the organisations we looked at did not have appropriate processes for managing system changes and fixes. This resulted in high risk deficiencies such as developers having access to live environments with real and often confidential data sets. To top it all off, the developer access and/or activity in the production environment was not being monitored.
COVID-19 experience revealed that there was a hurried adoption of technologies to cope with new working arrangements and in some instances without obtaining necessary approvals. Understandably, this is the “modus operandi” when implementation urgent changes but as we return to BAU, businesses should incorporate any tools introduced during lockdown into their change management procedures. Additionally, segregation of duties in the change management process should be enforced.
Backups were one of the most effective control areas in our 2020 assessment. Organisations performed well in back up management. 91% of the businesses had backup arrangements and procedures in place. We have seen businesses outsourcing this function to third parties. What is key is to relook at the controls in place at the third-party site and ensure inclusion of the “right to audit” clause in your contracts with service providers. As a consumer of a third-party service, you should be comfortable that the controls at the service provider support the resilience and continuity of your business.
Information security policies and user awareness
97% of the businesses examined in 2020 had documented information security policies. Alongside these information security policies, local businesses have invested in user awareness programs. We recognise the progress made in this area and commend the efforts of IT teams. It is, therefore, imperative not to lose momentum. Cyber threats are still at large. Since the pandemic, there has been a record increase in cases of cybercriminals using COVID-19 themed phishing attacks. Local businesses should seek ways to continue imparting information security awareness throughout the organisation, up to board level.
90% of the assessed businesses had robust physical access controls. A variety of controls, ranging from access cards to visitors being required to sign in and out were in place to restrict physical access. Looking ahead, businesses should guard jealously the benefits realised through physical access controls. There may be many new faces in the office, with some staff turnover during the transition. A question worthy asking is, what effect will this have on the ability to recognise intruders? As we return to office, many employees may still be wearing casual clothing. Have you thought about the new guidance you can provide your teams to help them to recognise intruders and challenge them politely?
COVID-19 has been a game changer and has continued to test businesses’ IT controls and resilience. With a continuously shifting landscape, the IT function has become a business driver as opposed to the traditional role of supporting business. Organisations need to understand the impact of the “new work definition” on IT processes and need to stay ahead of the cyber criminals. KPMG recognises the challenges being faced by IT teams and we have been working with local businesses, helping them anticipate, manage and mitigate risks in IT systems and processes, as well as supporting them in improving their IT controls.