Back to News

Customer data security and cyber crime

By Chartered Institute of Internal Auditors | 11th March 2016

Customer data security and cyber crime

Data security and cyber risk is now front and centre on organisations’ boardroom agendas.  In this article Guy Rudolph, Group Audit Director and Paul Webster, Head of Audit, Technology at mobile phone network operator Vodafone talk about the challenges of auditing data security and the defence against cyber crime.

This article was published by www.iia.org.uk

Discussion summary 

Data security and cyber risks continue to rise up the risk register for most organisations, but for those companies whose service delivery is completely dependent on technology to meet customer demand, the need to address these risks is perhaps greater. 

Guy Rudolph, Group Audit Director at mobile phone network operator Vodafone and Paul Webster, its Head of Audit for Technology, say that  - the loss of, or unauthorised access to, customer data; and loss of service to customers are key risks which could damage its business and brand.

To ensure customer data security and to enable effective protection against cyber attacks, Webster says that internal audit needs to: understand the value of the organisation's assets/data; know where the assets/data are held and who has access to them; and understand why someone would want access to them. Once the function understands these issues, it can then build them into an audit plan, he says.

Webster says that there are four key parties who are likely to cause a breach: hacktivists, criminal gangs, state-sponsored hackers, and the organisation's own employees. 

Each week, Vodafone is subject to more than 10 billion events that are trying to attack its network, and the company has suffered from such attacks in the recent past. This September the press reported that a hacker, an employee, stole the personal details - including customer names, addresses, bank account numbers and birth dates - of more than two million Vodafone customers in Germany from a database sitting on the company's internal network.

Rudolph says that while many organisations use the "3 lines of defence model" to ensure better internal control, he adds that it is important that there is clarity over the responsibilities and accountabilities that management, compliance and internal audit have on risk monitoring and risk assurance in the data security and cyber crime field.

He adds that it is also important to interact more closely with other assurance providers within the business (such as external audit, HR, IT, corporate security, and legal) to get a better view of the risks that come up on their radars, as well as how they approach reporting and controlling such risks. This helps fill in any gaps in the assurance model; provides an independent opinion; and adds value and insight into the business.

Within Vodafone, Webster says that internal audit's activities are focussed on 4 core areas:

  • Policy: Internal audit challenges the scope of the policies relating to security and data protection, and whether they are adequate and sufficiently detailed for people to understand them. The function also checks whether contractors are aware of the policies, and how regularly the policies are reviewed
  • People: Internal audit looks at the levels of risk awareness among employees, and examines "user access management" protocols to see who has access to which physical areas of the buildings, as well as data
  • Process: Internal audit looks at the total security framework and how it links to other policies and operations. The function performs "deep dive" audits in core areas, and carries out multiple entity audits
  • Technology: Internal audit looks at the tools that are used for monitoring user access, and examines the security aspects around the use of technology.

"The common mistake that people make is to think that cyber crime and customer data are just technology risks: the vulnerabilities lie across all four of these areas," says Rudolph. "This is where many of those at the 'top table' or audit committee level think that it is just an issue for the chief technology officer to sort out, but you need assurance over each of these building blocks," he adds.

In summary, internal audit needs to:

  • Audit holistically across the 4 pillars of: Policy, People, Process and Technology;
  • Have the credibility AND ability to ask the right questions;
  • Bring in new talent from outside or recruit from within the business;
  • Use consultants to compliment and bridge the gaps;
  • Be a powerful voice: be supportive, but also challenge the CFO, CTO, CIO and CTSO;
  • Select the right people with the right skills to execute across audits, investigations, and ethical hacking.