What changing cybercrime means for internal auditors
What changing cybercrime means for internal auditors
Cybercrime is becoming more sophisticated, organised and dangerous. Firms need to think about attacks in terms of ‘when, not if’. Risk and Audit are in the front line when it comes to preventing data assets from becoming data liabilities. Firm-wide threats call for firm-wide awareness – and responses.
Cybercrime is big business – it costs the world as much as $600 billion a year, or 0.8% of global GDP.
Ransomware, malicious bugs, hacking and phishing emails are increasing in sophistication and in number.
Companies, regulators and governments meanwhile are scrambling to keep up with ever more sophisticated crime-fighting techniques of their own.
The nature of cybercrime changes as the perpetrators follow whichever avenue proves to be the most lucrative. As the landscape shifts, the companies that can best adapt to this change will be the most successful in their efforts.
For internal auditors, this means gaining the skills to develop and maintain sound security practices to address modern security threats.
Cybercrime has morphed from rogue hackers locked in bedrooms to a full-time organised crime endeavour or state-sponsored activity.
Criminal groups are increasingly targeting e-commerce and are widely believed to be the masterminds behind two major attacks this year.
Once criminals have the financial details, they can be sold on the black market before the company even realises it’s been hit.
In recent years, there has also been a growth in state-sponsored cybercrime. The number of countries with offensive cyber capability has grown.
As trade relations between China and the US break down, many fear that cyber espionage might rise, while governments are worried about the increase in state-sponsored reconnaissance on key infrastructure within their countries.
The issue that internal auditors are up against is that the organised crime methods are becoming increasingly sophisticated and are designed to outdo the best of security measures.
AI, for instance, is being used more and more to analyse and defeat the human test CAPTCHA’s line of defence on websites.
Regulators, businesses and governments are all responding to the changing cyber landscape.
The Network and Information Systems Regulations 2018, for instance, are now being applied to all critical infrastructure providers, from transport to energy to healthcare, and ensure they establish a baseline of security.
Companies are investing in automating security controls and RegTech. The compliance burden weighs heavily on companies, particularly those in the financial services sector, so businesses are keen to automate certain elements of security controls.
Models of security are also changing. Continuous testing of IT systems is now a much more common way of operating.
The advent of cloud computing has also allowed for tech security controls to be delegated to the cloud provider, which leaves companies to worry about other areas such as instant response and risk management.
But there is another key trend emerging, which is that cyber security will soon stop being an issue that only the technical experts within a company need to deal with.
While every organisation will continue to need its cyber security experts, ultimately the subject is one for the boardroom and down.
In future, companies will need to instil firm-wide education that gets the entire business to understand what its critical assets are and how they need protecting.
Indeed, regulators are now expecting companies to prepare for cybercrime not from a what if - but rather a when - scenario. Regulators want companies to already be thinking about how they will handle the consequences of an attack.
The assurance function may need to assess how quickly a company can respond.
GDPR is just the start
As companies become victims of cybercrime, the issue of trust becomes more apparent. What most criminals are after is the valuable data that the companies gather, particularly financial information.
Consumers, for their part, willingly hand over data in return for a service in the assumption that the company is doing everything it can to keep that data secure, with robust security models.
People often refer to data as the “new oil” – meaning that it is a valuable commodity. But data is as much an asset as a liability.
Companies can now extract so much value from that data, such as improvements to real-time products and services. But that data also represents a huge risk: losing it can lead to legal liability, fines and reputation issues.
At the same time, personal control of that data will increase. How organisations approach privacy today may need to change. In the future, people may well be able to access the data companies hold on them, which could impact on trust and loyalty.
Organisations should already start standardising their approach globally. They will need to embrace technology to help them manage privacy, and their approach should be customer-centric.
The company journey regarding data has only just begun. There are big rewards to those who lead the way, as trust becomes a key competitive advantage of companies today.
© 2021 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.