Data security and cyber risk is now front and centre on organisations’ boardroom agendas. In this article Guy Rudolph, Group Audit Director and Paul Webster, Head of Audit, Technology at mobile phone network operator Vodafone talk about the challenges of auditing data security and the defence against cyber crime.
This article was published by www.iia.org.uk
Data security and cyber risks continue to rise up the risk register for most organisations, but for those companies whose service delivery is completely dependent on technology to meet customer demand, the need to address these risks is perhaps greater.
Guy Rudolph, Group Audit Director at mobile phone network operator Vodafone and Paul Webster, its Head of Audit for Technology, say that - the loss of, or unauthorised access to, customer data; and loss of service to customers are key risks which could damage its business and brand.
To ensure customer data security and to enable effective protection against cyber attacks, Webster says that internal audit needs to: understand the value of the organisation's assets/data; know where the assets/data are held and who has access to them; and understand why someone would want access to them. Once the function understands these issues, it can then build them into an audit plan, he says.
Webster says that there are four key parties who are likely to cause a breach: hacktivists, criminal gangs, state-sponsored hackers, and the organisation's own employees.
Each week, Vodafone is subject to more than 10 billion events that are trying to attack its network, and the company has suffered from such attacks in the recent past. This September the press reported that a hacker, an employee, stole the personal details - including customer names, addresses, bank account numbers and birth dates - of more than two million Vodafone customers in Germany from a database sitting on the company's internal network.
Rudolph says that while many organisations use the "3 lines of defence model" to ensure better internal control, he adds that it is important that there is clarity over the responsibilities and accountabilities that management, compliance and internal audit have on risk monitoring and risk assurance in the data security and cyber crime field.
He adds that it is also important to interact more closely with other assurance providers within the business (such as external audit, HR, IT, corporate security, and legal) to get a better view of the risks that come up on their radars, as well as how they approach reporting and controlling such risks. This helps fill in any gaps in the assurance model; provides an independent opinion; and adds value and insight into the business.
Within Vodafone, Webster says that internal audit's activities are focussed on 4 core areas:
"The common mistake that people make is to think that cyber crime and customer data are just technology risks: the vulnerabilities lie across all four of these areas," says Rudolph. "This is where many of those at the 'top table' or audit committee level think that it is just an issue for the chief technology officer to sort out, but you need assurance over each of these building blocks," he adds.
In summary, internal audit needs to: