As cybersecurity becomes the new normal for businesses worldwide, and increasingly seen as both a business enabler and differentiator, perception among the top echelons “are of utmost importance” said Mr. Steven Sim, President of ISACA Singapore Chapter, in a recent masterclass, titled Optimising Cyber Risk in the Era of Accounting 4.0.
Fortunately, senior management have become more concerned with cyber risk issues, according to over 70% of respondents in a recent ISACA survey.
“A good risk culture starts from the top. The SEC (Securities and Exchange Commission) now requires board members to minimally understand cyber risk management and adopt a risk-based rather than a compliance-based mindset. So instead of going thru the motions to complete the checklist, board members would instead need to assess and manage the risk appropriately,” Mr. Sim elaborated.
With digital connectivity, systems and algorithms coming into play, driving processes that have found a way into the daily lives of corporations and consumers alike, cyber threats have become inevitable. Disrupting the attacker and recovering swiftly to ensure business resilience means that the organisation structure needs to evolve with an increased focus on cybersecurity.
Governance is one way in which companies can ensure security throughout the supply chain and has become essential with the adoption of 4.0 technologies. For instance, with cloud governance, businesses would be able to avoid watering hole attacks and leaky cloud buckets, by implementing key security principles - such as Secure by Design (SbD), Secure by default and Secure in deployment - either from the onset or by configuring the existing architecture.
“Throughout the key points is continuous audit and monitoring. If not managed on a continual basis, the cybersecurity posture will deteriorate over time. Therefore, cybersecurity is a continuous process, and not a one-off,” he continued.
Additionally, adequate risk communications both in a vertical and horizontal manner is essential. “With increasing supply chain risk, it is important such communications with supply chain providers are established and tested during peace times. Cybersecurity tabletop exercises and drills must be held, to run thru possible attack and breach scenarios,” Mr. Sim advised.
Apart from these principles, frameworks are another means of ensuring cybersecurity throughout the organisation. A number of frameworks by the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and Control Objectives for Information and Related Technologies (COBIT) provide comprehensive references to help companies prepare for the eventuality of a breach.
Source: ISACA COBIT, NIST
“As we enter a new cybersecurity normal, where breaches are inevitable, it is important for us to not only look at protecting application code and systems right from the start, but also prepare for the eventuality of a breach during this time. This entails adequate detection, response and recovery, including ensuring business continuity plans are in place and well tested. Black swan events have been known to occur, so business continuity plans must be tested, when the unknown happens these plans are what will save the company,” Mr. Sim said.
With robotic process automation (RPA), which can be helpful in many accounting, taxation and audit tasks, some of the risk factors and challenges highlighted by Deloitte and PwC include IT support and alignment, impact on human workforce, consistency and stability of processes, among others.
Source: ISACA, Deloitte, PwC
“Reviewing RPA programmes are absolutely essential - who creates, who reviews, is there segregation of duties, is there enough maker-checker checks-and-balances, does the RPA programme circumvent existing security controls. How do you protect the RPA programme from misuse - do you log all the events, who logs in to perform what activities and where is the RPA programme accessed from,” he highlighted.
With emerging technology, such as artificial intelligence (AI), machine learning (ML) and blockchain, ISACA has identified five key considerations, namely privacy, employment, unpredictability, intelligence and bias.
“AI is a double-edged sword. It can help in a lot of our manual processes and decision-making. Attackers have long weaponised AI, creating AI triggered malware - malware that knows how to adapt to counter defences. Attackers have also used AI to hunt for vulnerabilities and deciding automatically which attack patterns to use, to crack passwords faster, generate fake voice commands and bypass anomaly detection engines, subvert facial recognition with deep fakes and bypass spam and anti-phishing filters,” explained Mr. Sim.
Despite efforts to defend systems with anti-phishing algorithms, attackers have been able to design models with a combination of natural language processing (NLP) and data points that learns what works and what does not on a per-second basis, and automatically gets smarter.
“Therefore, given the type of innovations that attackers come up with, implementing ML and NLP anti-phishing defences is also necessary just to be in the fight,” he added.
With blockchain, the infrastructure and manner of deployment can result in breaches, as seen time and again with crypto exchanges - one of the many ways that blockchain technology can be used.
“Blockchain is not a panacea to all security threats. Blockchain technology depends on communication across network groups and disrupting nodes communication may compromise the network… Coding bugs often cause vulnerability that are continuously exploited by hackers in blockchain-based smart contract projects... therefore, experienced developers, SbD and continuous project audits can help reduce and mitigate some of these risks,” Mr. Sim continued.
Lastly, as the WEF pointed out, cybersecurity is an overall ESG (environmental, social and governance) issue, since cyber attacks present a huge risk and ultimately affect the stability of a society, he quipped.
“ESG inevitability relies on big data and validity is key to making right decisions, such as carbon footprint and carbon tax. Vulnerabilities in the way data is stored and managed can result in data being leaked or tampered resulting in compromised data integrity, therefore measures have to be put in place to consider how the data is stored, how its processed thru AI and ML algorithms, how it is transmitted securely and how privacy is protected,” Mr. Sim explained.
To achieve ESG goals, governance and management objectives companies should follow include ensuring governance framework setting and maintenance, ensuring benefits delivery, managing organisational change, just to name a few.
Source: ISACA COBIT
With cyber threats and breaches inevitable in the industry 4.0 digital transformation, ensuring strong security posture as well as being able to recover properly from an attack are crucial to business continuity.
“The inevitability of a breach must be known and understand that it is not only about investing in protection measures, but also in incident management, business continuity and recovery plans. There is a need to understand that the threat landscape is volatile, managing digital risk is an ongoing journey, maturity may shift as risk evolves, and what works yesterday may no longer work today,” he concluded.
