By Annie Subactagin-Matto, Director – Monitoring, Evaluation and Reporting, PASAI

The COVID-19 pandemic has changed the way we work. Social distancing requirements in full and partial lockdowns have led to the swift adoption of remote access technology. This rapid digital transition brings with it cyber security risks associated with sharing, transmiting and storing information securely.

Organisations worldwide face an increase in cyber threats[1] in a changing virtual landscape. A McKinsey global expert survey indicated 75% of management executives considered cybersecurity to be a top priority – but only 16% were well prepared to manage cyber risks[2]. This is a concern, especially given a reported increased in malicious cyber activity – e.g. 181.5 million ransomware attacks were reported in the first six months of 2018 - a 229% increase from 2017[3].

Organisations now have to move quickly to build their IT capability to mitigate emerging cyber risks. By accessing and corrupting data, devices and systems cyber criminals compromise the integrity of an organisation’s IT infrastructure and data, and have an impact on business continuity.     

The security of SAIs IT systems is always critical but as SAIs work to monitor the unprecedented public expenditure related to COVID-19 response and recovery effort, their IT systems, data, and other information must be kept secure. This blog explores how SAIs can mitigate cybersecurity risks to ensure that they can operate effectively in a remote working environment. 

How do cyber attacks take place?

Cybercriminals use a variety of methods to compromise systems and access confidential information. The most common methods are listed below:

1. Social engineering - Cybercriminals leverage their understanding of human psychology to  manipulate people into divulging confidential information[4]. For example, an email with an urgent payment instruction send on Friday at 5pm, or an email from a trusted source with links to fake e-Christmas or e-birthday cards - with an aim to install malware on computers and retrieve banking credentials.

2. Malicious software or ‘malware’ involves tricking individuals into opening infected files to introduce viruses, spyware and trojans[5] to access and corrupt data, devices and systems.

3. Phishing – malicious emails from a trusted source containing fake information or a link from an authentic looking website are used to obtain confidential information (user names, passwords, credit card details). This activity is also used to download malware into a device or system. Phishing attempts can be easy to spot because the malicious email address or website URL will usually be different from the original email address or URL. Phishing emails generally try to get recipients to do something – e.g. click a link, send an email, provide information.

4. Ransomware – a type of malware that threatens to lock systems and block data access until a ransom is paid. Such an attack is typically carried out using a Trojan.

5. System vulnerabilities – Unchanged root passwords and systems that do not regularly patch system security upgrades are easy pathways to access IT systems. Cybercriminals are adept at gathering information about a company’s IT infrastructure to target its vulnerabilities until a patch is applied.

Solutions to protect your systems and information

The first step for SAIs is to develop an understanding of the cybersecurity legislative framework and national policies that may exist in their respective juridsdictions.  In addition, there are a number of safeguards which can be used to reduce the risk of cyber attacks:

1. Policies and procedures - A strong information security policy provides staff with clarity around risks. Well defined business continuity and incident response plans and protocols are critical internal governance documents to establish how your SAI would function in the event of an emergency.

2. Regular updates of network security controls and software including laptops and phones prevent hackers from identifying and infiltrating vulnerable systems. Remember to disable user profiles and access of staff who are no longer employed by the SAI.

3. Use the right defences to protect your IT system – such as encryption, firewalls, anti-virus software, SPAM filters and website penetration testing. With remote working arrangements becoming the new norm it is important to ensure the same security controls for remote access as with your onsite computer network – multi-factor authentication and Virtual Private Networks (VPNs) can be used to achieve this.

4. Ensure password safety by ensuring staff regularly change their passwords and use a combination of upper and lower case letters and symbols %@*$ to create complex passwords that are difficult to replicate.

5. Implement dual verification for financial payments to safeguard from phishing schemes and invoice fraud.

6. Maintain regular backups to protect data loss or corruption in case of a hack.

7. Monitor latest trends and update new best practices to respond to evolving methods and tools by cybercriminals.

8. Build staff awareness about how to identify and respond to cyber attacks through upskilling. Use clear communication focusing on what to do (rather than what not to do). Continuous education will empower SAI staff to identify and challenge the unusual and follow response protocols.

 Responding to cyber threats: a recent example

A phishing email was recently sent to several staff of the Office of the Auditor-General New Zealand asking for assistance to purchase gift cards for friends. This email was supposedly sent by John Ryan (Auditor-General).

Once OAG staff reported the email to the IT Operations team, the team escalated this incident to their anti-SPAM provider to block future emails of this particular strain. The team also sent out an email to all staff to create awareness of this email, including tell-tale signs that staff can use to identify the malicious nature of this email.

These tell-tale signs include the use of:

·       an external/unofficial email address - officialdirectmail@gmail.com

·       an unusual tone and writing style– clearly different from John Ryan’s other emails

·       a request of an unusual nature – asking for a favour to purchase a gift card/product for John’s friends at the hospital

·       incorrect spelling and grammar – in this case US English instead of UK/NZ

·       non-standard signature to sign off.

A strategic approach to cybersecurity

Cybersecurity issues need to be considered when developing a digital strategy and action plan as part of the SAI internal governance and planning process. An effective cybersecurity strategy has four components (i) a business risk assessment (ii) the capabilities required to manage this risk (iii) a target state (iv) initiatives to achieve the target state[6].

In the Pacific region, Fiji, PNG, Solomon Islands, Tonga and Vanuatu participated in the Cyber Security Regional Standardisation Enhancement Program designed to strengthen cyber security in the region. The report[7] published in January 2020 outlines the way forward for the project, with the aim to ensure governments and citizens in the Pacific are protected from ever increasing cyber security threats.

SAIs need to be aware of ongoing regional programs and developments to adequately plan for and build a secure and resilient IT infrastructure. The resulting business continuity will ensure that SAIs continue to provide an independent voice to achieve good governance and accountability in the Pacific region.

What’s next?

Stay tuned to read more about the following topics forthcoming in our blog series:

·       Strengthening public procurement practice: key questions for auditors.

·       Staying productive in a remote working environment.

·       Ensuring staff wellbeing in an online setting.

·       Upskilling for the future: what capabilities do auditors need in an era of AI and digitisation?

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

  ------------------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19.  

For more information about PASAI refer www.pasai.org

References

[1] https://www.cyber.gov.au/threats/threat-update-covid-19-

malicious-cyber-activity

[2] https://www.mckinsey.com/featured-insights/internet-of-things/our-insights/six-ways-ceos-can-promote-cybersecurity-in-the-iot-age

[3] https://www.helpnetsecurity.com/2018/07/11/2018-sonicwall-cyber-threat-report/

[4] https://en.wikipedia.org/wiki/Social_engineering_(security)

[5] Trojan – a type of malicious code of software that looks legitimate but can take control of your computer and/or network once downloaded

[6] https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/digital-blog/at-the-core-of-your-cybersecurity-strategy-knowing-your-capabilities

[7] https://www.standards.org.au/getmedia/952ea009-ffc2-490a-905f-8f731fa84a52/Pacific-Islands-Cyber-Security-Standards-Cooperation-Agenda.pdf.aspx