How the pandemic has accelerated existing risk trends

COVID-19 has reorganized the risk landscape for chief audit executives (CAEs), as CAEs have listed IT governance as the top risk for 2021, according to Gartner. Analysts said the pandemic is giving rise to new sets of risks while exacerbating long-standing vulnerabilities.

existing risk trends

Gartner conducted interviews and surveys from across its global network of client organizations to identify the top 12 risks, or “Audit Plan Hot Spots,” facing boards, audit committees and executives entering 2021.

Existing risk trends

The report revealed that IT governance is displacing data governance, which was the top entry for 2020 and is in second position for 2021.

“While the pandemic has created new challenges for audit executives to grapple with, what’s most notable is how the current environment has accelerated existing risk trends,” said Leslee McKnight, research director for the Gartner Audit practice.

“The volatility and interconnectedness of the two most important risks, IT and data governance, also shines a light on the importance for firms to rethink their risk governance. Audit leaders should apply dynamic risk governance in order to rethink their approach to designing risk management roles and responsibilities.”

While the top three hot spots audit executives must focus on for 2021 all made appearances in last year’s list, they have all been altered by the nature of working in the pandemic.

IT governance

Abrupt work-from-home mandates have accelerated digital roadmaps, causing many organizations to vault years forward in the space of a few weeks. This move has spurred the rapid adoption of new technologies both on the employee and customer side, presenting new challenges to productivity, consumer preferences and guarding against security vulnerabilities.

CAEs need to assess how new technology adoption may be hobbling their IT departments’ plans, with IT support incident requests doubling in early 2020 to support a huge increase in work-from-home employees.

Additionally, managing access rights for many more remote workers presents new risks such as “privileged user abuse,” which is expected to climb over the next 12 to 24 months.

Data governance

The pandemic means that organizations are expected to collect more sensitive personal information from employees and customers than ever before. Yet, data governance practices are regressing, with fewer dedicated resources to data privacy than in previous years.

Organizations face increasingly complex data environments where their data is housed. Growth in software-as-a-service (SaaS) and delays to upgrading legacy systems have created work environments where data is distributed across disparate platforms, software and servers.

Such complexities continue to test audit executives, with only 45% expressing high confidence in their ability to manage data governance risk.

Cyber vulnerabilities

Cyber vulnerabilities are especially acute this year, due to the rapid organizational changes needed to protect employees and serve customers in the midst of a pandemic.

Despite increased cybersecurity spending, only 24% of organizations routinely follow cybersecurity best practices, this will result in cyberattacks that are expected to cost organizations $6 trillion annually by 2021. Drivers of this risk include lapses in security controls and increased employee vulnerability to social engineering.

More than half of employees are currently using personal devices to do work remotely, while 61% have indicated their employer has not provided tools to secure these devices. Additional security lapses include a lack of attention to employee’s home network security and status of antivirus software.

“The pandemic is forcing many audit and risk executives to address their organization’s deficiencies in the most critical areas,” said Ms. McKnight.

“Inadequate data governance and IT security practices will have even steeper consequences in the current environment than pre-pandemic, particularly when considering the types of data many organizations feel compelled to collect as a result of new health and safety measures.”

Risk professionals expect a dynamic risk environment in 2021

A majority of audit and risk professionals believe the risk environment will continue to be dynamic and unpredictable in 2021, rather than returning to more stable pre-pandemic conditions, an AuditBoard survey finds.

2021 risk environment

The top risk they cited for the coming year was of “economic conditions impacting growth,” followed closely by “cybersecurity threats.”

The responses also illustrate the long-term changes audit and risk professionals will experience in their roles as a result of the pandemic, and how crucial those individuals will be in helping organizations overcome risk challenges despite gaps in enterprise risk management (ERM) programs.

A permanent shift to remote work

One of the biggest challenges the COVID-19 pandemic has created for audit, risk, and compliance professionals is the sudden shift to remote work. Performing audit and risk management tasks in a remote environment is a significant challenge without the aid of modern, collaborative technology.

Recent Institute of Internal Auditors (IIA) polls suggest roughly three-quarters of audit teams are without a modern audit technology solution today. However, when asked by AuditBoard about the future of work, 59% of respondents said they expect their team will work remotely for all or part of the workweek once quarantines lift.

7.5% said they expect their team will work 100% remote on a permanent basis. This shift to remote work presents a major operational challenge for audit, risk, and compliance teams.

“Conditions this year have changed drastically due to the pandemic, and audit, risk, and compliance organizations have had to act quickly to adapt to the dynamic risk environment while maintaining operational continuity,” said John Reese, SVP of Marketing, AuditBoard.

“AuditBoard survey responses overwhelmingly showcase how quickly the workplace mindset is shifting, and how important modern audit, risk, and compliance technology has become to support a more remote and connected future.”

Businesses face dynamic risk environment

Respondents were asked questions about the risks their businesses face as a result of the pandemic and looking forward. Responses reveal an evolving risk landscape with a variety of different business priorities.

  • 81% of respondents said “risk will continue to be dynamic and unpredictable” in 2021 and beyond.
  • When asked what they see as the most pressing risk facing their businesses in 2021, 27.6% of respondents said, “economic conditions impacting growth,” more than one-quarter (27%) said, “cybersecurity threats,” and 12.8% said “business continuity and crisis response.”

“Audit and risk professionals expect the 2021 business risk environment to be unpredictable,” continued Reese.

“Specifically, they are most concerned with the potential risk of economic conditions, cybersecurity threats, and business continuity as their organizations are faced with a fast-changing external environment. Technology like AuditBoard will be a crucial enabler as organizations strive to understand and manage these risks at scale, and stay a step ahead.”

Amid changing strategies, risk management programs often lacking

The pandemic has shifted risk management strategies for most organizations, but many organizations still lack a mature ERM program.

  • 79.5% have either made moderate changes (43.1%), redirected strategy in certain areas (29.3%), or made significant broad-ranging changes (7.1%) to their risk management program since the start of the pandemic.
  • Despite these measures for managing the changing risk landscape, just 16.1% reported having a “robust ERM program” that impacts daily decision making and internal audit planning.

Audit teams becoming a core part of business response to risk

Responses from survey questions directed specifically at audit attendees show how auditors are becoming an increasingly relied-upon asset for organizations as they navigate these risks.

  • 55% replied that they agree or strongly agree that internal audit teams are involved with discussions of risk and potential responses to the crisis.
  • The same sample of respondents was also asked how COVID-19 will change communications between audit teams and the rest of the organization. 44% said that communications with audit committees will increase moving forward.
  • In a separate conference session, 84.3% of respondents replied that they are somewhat or very likely to expand risk assessment to new areas or processes and add new controls to mitigate additional risks as a result of the pandemic.

Quantum computers: How to prepare for this great threat to information security

The race is on to build the world’s first reliable and truly useful quantum computer, and the finish line is closer than you might think – we might even reach it this decade. It’s an exciting prospect, particularly as these super-powerful machines offer huge potential to almost every industry, from drug development to electric-vehicle battery design.

quantum computers threat

But quantum computers also pose a big security problem. With exponentially higher processing power, they will be able to smash through the public-key encryption standards widely relied on today, threatening the security of all digital information and communication.

While it’s tempting to brush it under the carpet as “tomorrow’s problem”, the reality of the situation is much more urgent. That’s because quantum computers don’t just pose a threat to tomorrow’s sensitive information: they’ll be able to decrypt data that has been encrypted in the past, that’s being encrypted in the present, and that will be encrypted in the future (if quantum-resistant algorithms are not used).

It’s why the NSA warned, as early as 2015, that we “must act now” to defuse the threat, and why the US National Institute of Standards and Technology (NIST) is racing to standardize new post-quantum cryptographic solutions, so businesses can get a trusted safety net in place before the threat materializes.

From aviation to pharma: The industries at risk

The harsh reality is that no one is immune to the quantum threat. Whether it’s a security service, pharmaceutical company or nuclear power station, any organization holding sensitive information or intellectual property that needs to be protected in the long term has to take the issue seriously.

The stakes are high. For governments, a quantum attack could mean a hostile state gains access to sensitive information, compromising state security or revealing secrets that undermine political stability. For pharmaceuticals, on the other hand, a quantum computer could allow competitors to gain access to valuable intellectual property, hijacking a drug that has been in costly development for years. (As we’re seeing in the race for a COVID-19 vaccine, this IP can sometimes have significant geopolitical importance.)

Hardware and software are also vulnerable to attack. Within an industry like aviation, a quantum-empowered hacker would have the ability to forge the signature of a software update, push that update to a specific engine part, and then use that to alter the operations of the aircraft. Medical devices like pacemakers would be vulnerable to the same kind of attack, as would connected cars whose software is regularly updated from the cloud.

Though the list of scenarios goes on, the good news is that companies can ready themselves for the quantum threat using technologies available today. Here’s how:

1. Start the conversation early

Begin by promoting quantum literacy within your business to ensure that executive teams understand the severity and immediacy of the security threat. Faced with competing priorities, they may otherwise struggle to understand why this issue deserves immediate attention and investment.

It’s your job to make sure they understand what they’re up against. Identify specific risks that could materialize for your business and industry – what would a quantum attack look like, and what consequences would you be facing if sensitive information were to be decrypted?

Paint a vivid picture of the possible scenarios and calculate the cost that each one would have for your business, so everyone knows what’s at stake. By doing so, you’ll start to build a compelling business case for upgrading your organization’s information security, rather than assuming that this will be immediately obvious.

2. Work out what you’ve got and what you still need

Do a full audit of every place within your business where you are using cryptography, and make sure you understand why that is. Surprisingly, many companies have no idea of all the encryption they currently have in place or why, because the layers of protection have been built up in a siloed fashion over many years.

What cryptographic standards are you relying on today? What data are you protecting, and where? Try to pinpoint where you might be vulnerable. If you’re storing sensitive information in cloud-based collaboration software, for example, that may rely on public key cryptography, so won’t be quantum-secure.

As part of this audit, don’t forget to identify the places where data is in transit. However well your data is protected, it’s vulnerable when moving from one place to another. Make sure you understand how data is moving within your business – where from and to – so you can create a plan that addresses these weak points.

It’s also vital that you think about what industry regulations or standards you need to comply with, and where these come into play across the areas of your business. For industries like healthcare or finance, for example, there’s an added layer of regulation when it comes to information security, while privacy laws like the GDPR and CCPA will apply if you hold personal information relating to European or Californian citizens.

3. Build a long-term strategy for enhanced security

Once you’ve got a full view of what sensitive data you hold, you can start planning your migration to a quantum-ready architecture. How flexible is your current security infrastructure? How crypto-agile are your cryptography solutions? In order to migrate to new technology, do you need to rewrite everything, or could you make some straightforward switches?

Post-quantum encryption standards will be finalized by NIST in the next year and a half, but the process is already underway, and the direction of travel is becoming clearer. Now that finalist algorithms have been announced, businesses don’t need to wait to get quantum-secure – they must simply ensure that they design their security infrastructure to work with any of the shortlisted approaches that NIST is currently considering for standardization.

Deploying a hybrid solution – pairing existing solutions with one of the post-quantum schemes named as a NIST finalist – can be a good way to build resilience and flexibility into your security architecture. By doing this, you’ll be able to comply with whichever new industry standards are announced and remain fully protected against present and future threats in the meantime.

Whatever you decide, remember that migration can take time – especially if your business is already built on a complex infrastructure that will be hard to unpick and rebuild. Put a solid plan in place before you begin and consider partnering with an expert in the field to speed up the process.

A risk we can’t see

Just because a risk hasn’t yet materialized, doesn’t mean it isn’t worth preparing for (a mindset that could have come in handy for the coronavirus pandemic, all things considered…).

The quantum threat is serious, and it’s urgent. The good thing is that we already have all the ingredients to get a safety net in place, and thanks to strong mathematical foundations, we can be confident in the knowledge that the algorithms being standardized by NIST will protect businesses from even the most powerful computers.

The next step? Making sure this cutting-edge technology gets out of the lab and into the hands of the organizations who need it most.

Compliance activities cost organizations $3.5 million annually

Organizations are struggling to keep up with IT security and privacy compliance regulations, according to a Telos survey.

compliance cost

Annual compliance cost

The survey, which polled 300 IT security professionals in July and August 2020, revealed that, on average, organizations must comply with 13 different IT security and/or privacy regulations and spend $3.5 million annually on compliance activities, with compliance audits consuming 58 working days each quarter.

As more regulations come into existence and more organizations migrate their critical systems, applications and infrastructure to the cloud, the risk of non-compliance and associated impact increases.

Key research findings

  • IT security professionals report receiving an average of over 17 audit evidence requests each quarter and spend an average of three working days responding to a single request
  • Over the last 24 months, organizations have been found non-compliant an average of six times by both internal and third party auditors resulting in an average of eight fines, costing an average of $460,000
  • 86 percent of organizations believe compliance would be an issue when moving systems, applications and infrastructure to the cloud
  • 94 percent of organizations report they would face challenges when it comes to IT security compliance and/or privacy regulations in the cloud

Compliance teams are overwhelmed

“Compliance teams spend 232 working days each year responding to audit evidence requests, in addition to the millions of dollars spent on compliance activities and fines,” said Dr. Ed Amoroso, CEO of TAG Cyber. “The bottom line is this level of financial and time commitment is unsustainable in the long run.”

“As hammer, chisel and stone gave way to clipboard, paper and pencil, it’s time for organizations to realize the days of spreadsheets for ‘checkbox compliance’ are woefully outdated,” said Steve Horvath, VP of strategy and cloud at Telos.

Automation can solve numerous compliance challenges, as the data shows. It’s the only real way to get in front of curve, rather than continuing to try and keep up.”

99 percent of survey respondents indicated their organization would benefit from automating IT security and/or privacy compliance activities, citing expected benefits such as increased accuracy of evidence (54 percent), reduced time spent being audited (51 percent) and the ability to respond to audit evidence requests more quickly (50 percent).

2020 trends in SOX compliance

SOX & Internal Controls Professionals Group released a survey which measures the costs, execution, challenges and priorities faced by companies that comply with the Sarbanes-Oxley Act (SOX).

SOX compliance trends

“In its fifth year, our survey reflects the broad experience of SOX professionals over time and presents a balanced perspective of the current state of SOX and internal controls management,” said Camille Kearns Rudy, National Director of the SOX & Internal Controls (IC) Professionals Group.

“Importantly, the survey confirms that the C-suite views SOX as highly valuable in their organizations. This acknowledgement ensures that SOX will have access to institutional capital needed to thrive and be effective.”

Improving efficiency in the SOX function was the top priority for SOX/IC practitioners in 2020. One-third of respondents reported they spend more than half their time on SOX, and that finding new ways to reduce the complexity of the controls processes and the time spent on manual testing was key.

Many still relying on spreadsheets and desktop publishing tools

Forty-four percent of respondents said they will focus heavily on controls automation, which ushers in the need for intelligent, cloud-based technology.

More than half of the market currently uses a SOX-specific software to execute their SOX compliance program, but one-third still rely on spreadsheets and desktop publishing tools.

While upgrading technology has been a concern, but not a priority in previous years, the high-risk environment created by COVID-19 has sparked a renewed sense of urgency to make changes to existing technologies and processes.

Cybersecurity and IT controls have also historically been among the top three areas of concern for SOX/IC professionals. These too have received increased attention in 2020, as over half of write-in comments highlighted the impacts of remote working and the ability to execute compliance.

Thousands of ISO certifications at risk of lapsing due to halted re-certification audits

Thousands of valuable ISO management system certifications earned by UK companies may now be at risk because auditors from Certification Bodies may not have been able to attend organizations’ premises to conduct essential re-certification audits during the current coronavirus pandemic.

ISO certifications risk

Worldwide, hundreds of thousands of certifications are at risk of lapsing as lockdown conditions look set to continue for the foreseeable future.

Affected organizations may incur significant financial costs

Current UKAS guidelines – unchanged since August 2016 – state that: “If [a] recertification assessment cannot be undertaken within six months [of the anniversary of the certificate being issued] the certificate should be suspended, and a new initial assessment will be required.”

To restore their certifications, affected organizations may incur financial costs easily three times higher than they were expecting to pay for their annual audits – plus considerably higher levels of time and resources – as well as having to remove any reference to their certifications from their websites and other collateral in the meantime.

“Across just three [ISO9001, ISO27001 and ISO45001] of the five ISO management system standards that we help organizations to achieve, an average of 2,500 UK certifications per month could be at risk of lapsing due to the break in audit activities – never mind all other ISO standards, and notwithstanding any backlog of audits, whenever they can resume at scale,” said Peter Rossi, Director at InfoSaaS.

Some organizations may decide not to be re-audited

The International Organization for Standardization (ISO) doesn’t publish figures for the number of certifications granted across every standard. However, there are more than 1.3 million certifications worldwide across 12 standards for which it has most recently published numbers, in the form of the ISO Survey 2018 (including ISO9001, ISO14001, ISO20000, ISO22000, ISO22301, ISO27001, ISO28000, ISO45001, ISO50001, ISO 13485, ISO37001 and ISO 39001).

Worldwide there are over 870,000 certifications for ISO9001 alone, indicating that – six months on from the start of lockdowns – over 70,000 per month may be at risk of lapsing should surveillance audits remain halted.

“The uncomfortable truth is that, under current circumstances, some organizations may decide not to be re-audited and simply to let their ISO certifications lapse. Any such de-prioritisation may, in turn, lead to an unwanted decline in standards for the likes of information security, environmental management, health and safety and quality management. This is not a good outcome for anyone,” explained Rossi.

Internal audit leaders should develop new skills to stay relevant

Chief audit executives (CAEs) and internal audit leaders report their next-generation competency levels in three vital areas – governance, methodology and enabling technology – to be remarkably low, a Protiviti survey reveals. The survey also identified that the majority of internal audit functions are at risk of losing relevance for not modernizing and transforming the audit process, against the increasing demands of today’s stakeholders. Nearly 780 Chief Audit Executives (CAEs) and internal audit leaders were … More

The post Internal audit leaders should develop new skills to stay relevant appeared first on Help Net Security.

A Boxcryptor audit shows no critical weaknesses in the software

More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorized persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed.

During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation.

“All these components were logically correct and did not show any significant weakness under scrutiny. It is important to note that the codebase we audited was not showing any signs of malicious intent.”

The goal of the audit

The goal of the audit was to give all interested parties an indirect insight into the software so that they can be sure that no backdoors or security holes are found in the code.

Robert Freudenreich, CTO of Boxcryptor, about the benefits of an audit: “For private users, Boxcryptor is a means of digital self-defense against curious third parties, for companies and organizations a way to achieve true GDPR compliance and complete control over business data. With software that is so security relevant, it is understandable that users want to be sure that the software is flawless.”

The audit process started at the beginning of May with short communication lines to the developers and managers in the Boxcryptor team. If Kudelski had found a serious security vulnerability, they would not have held it back until the final report, but would have reported the problem immediately.

A problem rated as “medium”

The problem rated as medium is a part of the code that affects the connection to cloud providers using the WebDAV protocol. Theoretically, the operators of such cloud storage providers could have tried to inject code into Boxcryptor for Windows.

In practice, however, this code was never used by Boxcryptor, so there was no danger for Boxcryptor users at any time. In response to the audit, this redundant part of the code was removed.

Two problems classified as “low” and further observations

One problem classified as low concerns the user password: to protect users with insecure passwords, it was suggested that passwords be hashed even more frequently and that the minimum password length be increased, which we implemented immediately.

The second problem classified as low was theoretical and concerned the reading of the Boxcryptor configuration.

Tasks associated with SOX compliance continue to be significant

Only 46 percent of audit teams have been utilizing advanced technologies to optimize SOX compliance activities, a decrease from the previous year’s Protiviti survey findings.

SOX compliance activities

SOX compliance challenges

The longstanding challenges associated with compliance with the Sarbanes-Oxley Act, such as the cost of compliance and reliance on time-consuming manual tasks, are being exacerbated by the COVID-19 pandemic, as finance and audit teams are required to perform audit tasks remotely.

“The tasks associated with SOX compliance continue to be significant and time-consuming,” said Brian Christensen, executive vice president and global leader of Protiviti’s internal audit and financial advisory practice.

“The pandemic brings added burdens to the SOX compliance process, and it will be important for companies to reassess any temporary changes in control design and operation to ensure they continue to be aligned with their risk appetite as the business environment begins to normalize.”

SOX compliance hours increase

The survey revealed that the number of hours devoted to SOX compliance activities continues to rise, despite regulatory requirements remaining the same year-on-year.

Among companies that saw an increase in their SOX compliance hours, 67 percent reported the number of hours went up by more than 10 percent over the prior year, highlighting their lack of automation for simple functions. This finding can also be attributed to the increasingly more complex operations of modern companies.

Yet SOX teams that rely solely on spreadsheet and word processing applications, or legacy GRC (governance, risk and compliance) systems to manage their control environments, spend extensive time dealing with version control issues, manually making individual control changes across a dozen or so documents and preparing status reports.

While RPA (robotic process automation), GRC, data analytics and advanced technology tools would better enable SOX work to be performed more efficiently and effectively, many companies surveyed expressed reluctance about embracing centralized control testing and increasing their use of automation.

Leveraging technology

However, companies are starting to take notice, with a quarter of those who do not currently utilize technology tools in their organization’s SOX compliance process responding that they plan to do so in the next fiscal year and 48 percent responding that they plan to do so within two years.

Among the survey respondents already leveraging technology in their organization’s SOX compliance process, it is most frequently applied in testing the accounts payable process (48 percent), financial reporting process (43 percent) and account reconciliations process (43 percent).

“The current pandemic is a vivid reminder of how important it is for audit leaders to be resilient, adapt to unexpected and disruptive events and ensure they can complete SOX compliance activities even when they are dispersed and working offsite,” said Chris Wright, a Protiviti managing director and leader of the firm’s Business Performance Improvement practice.

“Now is the time to address longstanding industry resistance to using technology and automation that has been holding back the evolution of compliance teams for years.”

Eye-opening statistics about open source security, license compliance, and code quality risk

99% of commercial codebases contain at least one open source component, with open source comprising 70% of the code overall, according to Synopsys.

open source components security

Open source components and security

More notable is the continued widespread use of aging or abandoned open source components, with 91% of the codebases containing components that either were more than four years out of date or had seen no development activity in the last two years.

The most concerning trend in this year’s analysis is the mounting security risk posed by unmanaged open source, with 75% of audited codebases containing open source components with known security vulnerabilities, up from 60% the previous year. Similarly, nearly half (49%) of the codebases contained high-risk vulnerabilities, compared to 40% just 12 months prior.

“It’s difficult to dismiss the vital role that open source plays in modern software development and deployment, but it’s easy to overlook how it impacts your application risk posture from a security and license compliance perspective,” said Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center.

Open source adoption continues to soar

Ninety-nine percent of codebases contain at least some open source, with an average of 445 open source components per codebase—a significant increase from 298 in 2018.

Seventy percent of the audited code was identified as open source, a figure that increased from 60% in 2018 and has nearly doubled since 2015 (36%).

Outdated and “abandoned” components are pervasive

Ninety-one percent of codebases contained components that either were more than four years out of date or had no development activity in the past two years.

Beyond the increased likelihood that security vulnerabilities exist, the risk of using outdated open source components is that updating them can also introduce unwanted functionality or compatibility issues.

open source components security

Use of vulnerable open source components trending upward again

In 2019, the percentage of codebases containing vulnerable open source components rose to 75% after dropping from 78% to 60% between 2017 and 2018. Similarly, the percentage of codebases containing high-risk vulnerabilities jumped up to 49% in 2019 from 40% in 2018.

Fortunately, none of codebases audited in 2019 were impacted by the infamous Heartbleed bug or the Apache Struts vulnerability that haunted Equifax in 2017.

Open source license conflicts continue to put intellectual property at risk

Despite its reputation for being “free,” open source software is no different from any other software in that its use is governed by a license. Sixty-eight percent of codebases contained some form of open source license conflict, and 33% contained open source components with no identifiable license.

The prevalence of license conflicts varied significantly by industry, ranging from a high of 93% (Internet & Mobile Apps) to a relatively low of 59% (Virtual Reality, Gaming, Entertainment, Media).

The potential impact of SAP security remediation

More than two thirds (68.8%) of SAP users believe their organizations put insufficient focus on IT security during previous SAP implementations, while 53.4% indicated that it is ‘very common’ for SAP security flaws to be uncovered during the audit process. These are key findings of the SAP Security Research Report by Turnkey Consulting.

SAP security remediation

The research also uncovered that most respondents were not fully equipped to manage risk. A fifth (20.8%) felt most businesses did not have the skills and tools to effectively secure their SAP applications and environment, with 64.3% saying they only had some skills and tools.

Looking at specific concerns, nine out of ten (93.2%) people thought it was likely that an SAP audit would flag access management issues. Privileged or emergency access was also a major concern with 86.4% believing it was common or very common to have audit findings specifically related to it.

However, the research also showed a growing awareness of the security challenges faced by today’s enterprise, with the adoption of ‘security by design’ regarded as a solution. 74.0% expect IT security to take greater priority in future SAP deployments, with 89.6% agreeing that security specialists should be brought on board to support their SAP S/4 HANA transformation programs.

Richard Hunt, managing director at Turnkey Consulting, said: “The findings of this survey mirror our day-to-day experiences; SAP security is often an afterthought on SAP deployments, with the result that not enough time and resource is allocated to the essential security activities that need to take place throughout the project.”

“However it is encouraging to see that boardroom awareness is growing as the general business environment becomes increasingly focused on compliance, data protection and cyber security. This understanding will drive organizations to take the critical step of designing security into implementations from day one.”

Turnkey undertook its inaugural SAP research to determine organizations’ preparedness as the SAP landscape undergoes a time of transition and the deadline to adopt SAP S/4 HANA approaches. The SAP ERP offers extensive user benefits in terms of increased interconnectivity and mobility, but risks leaving SAP applications and infrastructure open to exploitation.

“Rolling out SAP S/4 HANA requires significant investment and organizational commitment. This reinforces why building in security from the start is vital if remediation, which is costly from both a financial perspective as well as in terms of business disruption, is to be avoided further down the line,” Hunt concludes.

Organizations not properly set up to manage risk, coronavirus pandemic reveals

Organizations’ current approach to risk governance is not sufficient to tackle the complex risk environment organizations are facing today, according to Gartner. The COVID-19 pandemic is just the latest in a line of recent risk events showing how organizations are not properly set up to manage risk, especially fast-moving ones.

manage risk coronavirus

The research showed that 87% of audit departments say their organization uses a “three lines of defense” (3LOD) model for risk governance. This model states that line management should act as the first line of defense, identifying risks and implementing controls.

Risk and assurance functions such as legal, compliance and enterprise risk management (ERM) should act as a second line, overseeing and monitoring risk management processes. Finally, internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.

“Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks. Pandemic is a rapidly developing type of risk that needs a dynamic risk management (DRG) set-up,” said Malcolm Murray, vice president and fellow, research for the Gartner Audit and Risk practice.

“The coronavirus pandemic demonstrates why organizations need a new approach for governing the management of the many complex risks they face in today’s world,” said Mr. Murray.

“Adopting the DRG principles helps organizations ensure they have the appropriate governance for different kinds of risks, with the right kind of risk management activities and the right people involved.”

Dynamic risk governance

The effectiveness of DRG was measured in a survey to over 200 organizations, looking at whether traditional or dynamic approaches to governing risk management led to better risk management behaviors and better risk outcomes. The three pillars of DRG each increased the occurrence of high-quality risk management behaviors:

  • Risk-tailored governance (18% increase) – The governance model should depend on the risk’s speed, the organization’s risk tolerance and internal constraints rather than relying on a one-size-fits-all level of scrutiny, such as centralized oversight for all risks or models based on industry norms. Corporate leaders should have the final say here, because the governance model should be determined based on the company strategy. A benefit of placing this authority with senior management rather with than the board and the assurance functions is more rapid response. These top executives can take faster action.
  • Activity-based risk governance (22% increase) – This means dispensing with the idea that only the first line owns all risk activities, and assigns accountability for risk management tasks without regard for the borders between first/second/third line. Senior management – not assurance functions – should determine who will decide the task owners for a particular risk. For some risks, it will not matter which exact function is accountable for each activity – as long as there is specific accountability assigned.
  • Digital-first risk governance (18% increase) – This means considering digital solutions during creation of the governance framework for the risk, not as an afterthought. For instance, if large parts of the risk management can be automated, then fewer functions need to be involved.

Adopting the DRG principles is beneficial

When looking at the risks related to the coronavirus pandemic specifically, adopting the DRG principles is beneficial at all three stages of dealing with the risk – response, recovery and restoration.

For the first stage, adopting DRG means quickly identifying who in senior management should own the governance of the risk and quickly setting up an initial governance model that considers the fast speed of the risk. It means identifying the key risk management activities for this stage of the risk and assigning clear accountability for these to appropriate parties.

In subsequent stages, when attention shifts towards recovery and restoration, applying the DRG principles allows organizations to regularly revisit whether the risk is governed in the right way. Once there is more visibility to the path of the risk, additional risk management activities can be added, such as adding a focus on monitoring the risk and assessing longer-term impact.

“This isn’t just about risk managers, this is about the board of directors and senior management making risk governance a key consideration so that organizations become more resilient against fast-emerging risks, such as coronavirus,” said Mr. Murray. “The DRG methodology applies equally to the many fast-emerging risks presented by digitalization.”

Organizations still struggle to manage foundational security

Regulatory measures such as GDPR put focus on data privacy at design, tightening requirements and guiding IT security controls like Public Key Infrastructure (PKI).

foundational security

Continued adoption of IoT, cloud and mobile technologies are increasing the number of digital certificates and keys that ensure secure connections and identity authentication through PKI, a Keyfactor and Ponemon Institute research reveals.

“This research demonstrates that despite heightened compliance focus, businesses struggle to manage foundational security like PKI and the tools and processes that maintain it. This is concerning, especially as the number of digital certificates and keys within enterprise continues to multiply,” said Chris Hickman, CSO at Keyfactor.

Regulatory compliance a strategic priority

Half of respondents indicate regulatory compliance as a strategic priority and two-thirds say their organization is adding additional layers of encryption to comply with regulations and IT policies.

However, undocumented or unenforced key management policies are problematic, with respondents averaging more than four failed audits or compliance experiences in the last 24 months.

“Less than half of respondents say they have sufficient staff dedicated to PKI,” said Hickman.

“A lack of program ownership, combined with the constant care and feeding that digital identities need, has introduced new risk, creating an exposure epidemic. Unless leaders invest in in-house processes and outsourced resources to manage PKI, enterprise will risk failed audits, fines and worse, a security breach.”

foundational security

Foundational security: Additional findings

  • A rise in security incidents: on average, organizations experienced a Certificate Authority (CA) or rogue man-in-the-middle (MITM) and/or phishing attack four times in the last 24 months, facing a 32% likelihood of a MITM or phishing attack over the next 24 months.
  • Staffing shortages: on average, 15% of IT security budget is spent on PKI deployment annually, yet just 43% of respondents say their organisation has enough IT security staff members dedicated to PKI deployment.
  • Lack of visibility: 70% of respondents say their organisation does not know how many digital certificates and keys it has within the business.
  • Cryptography related security incidents undermine trust: 68% of respondents say failure to secure keys and certificates undermines the trust their organisation relies upon to operate.
  • Cryptography lacks a center of excellence: despite the rising cost of PKI and growth of cryptography-related incidents, just 40% of companies have the ability to drive enterprise-wide best practice.
  • Spending trend: represented organizations are spending an average of £9.37M on IT security annually, with £1.37M dedicated to PKI.

What decentralized IT spending means for the CIO role

67% of IT leaders say at least half of their spend is now controlled by individual business units, in a report from IDG Connect and Snow Software.

decentralized IT spending

While most believe this is beneficial for their organization, it presents new challenges when combined with increased cloud usage – 56% of IT leaders are concerned with hidden cloud costs and nearly 90% worry about the prospect of vendor audits within cloud environments.

The survey, conducted to understand how the rise of infrastructure-as-a-service (IaaS) and democratized IT spending is impacting businesses, found that more than half of IT leaders expressed the need to gain better visibility of their IT assets and spending across their organization.

Business units control a large share of tech spend, which is a mixed bag

Traditionally, technology purchasing and management was controlled by IT departments. The cloud and as-a-service models shifted this dynamic, enabling employees throughout the organization to easily buy and use technology without IT’s involvement.

IT leaders are embracing this trend, with 78% reporting that the shift in technology spending is a positive for their organizations. But decentralized IT procurement also creates new complexities for organizations as they try to manage their increasingly diverse IT estates.

The IT leaders in the study voiced concern that the shift in spending to business units:

  • Increases the risk to data security
  • Increases the threat of non-compliance
  • Leaves cloud spending spiraling out of control
  • Makes audit preparation more time-consuming and complex

In fact, 78% said audit preparation is growing increasingly complex and time consuming.

Executives are justified in worrying about audits

Results suggest that annual audits are now the rule rather than the exception – 73% of those surveyed said they have been audited by at least one software vendor in the past 12 months.

When asked which vendors they had been audited by within the last year, 60% said Microsoft, 50% indicated IBM and 49% pointed to SAP. Such enterprise software audits can put a tremendous strain on internal resources and result in six, seven and even eight-figure settlement bills.

The vast majority of IT leaders surveyed said they are concerned about the looming possibility of audits, specifically when it comes to IaaS environments. When asked if the thought of software vendor audits for licensed usage on the IaaS front worries them, 60% responded “yes, very much so” and 29% said they are somewhat concerned.

The roles and requirements for IT have changed

Survey respondents also voiced concern that with decentralized IT spending within their organizations, they will be held responsible for something they currently can’t control. 59% said that in the next two years they need to gain better visibility of the IT estate.

Just slightly less than that (52%) said in that same timeframe, they would have to obtain an increased understanding of who is spending what on IT within the larger organization.

“As the research highlights, the shift to cloud services coupled with democratized technology spend is fundamentally changing the way businesses and IT leaders need to operate,” said Sanjay Castelino, Chief Product Officer at Snow Software.

“Empowering business units to get the technology they need is largely a positive development, but it creates challenges when it comes to visibility and control – and that can put organizations at risk of having problematic audits.

“It is more important than ever for organizations to have complete insight and manageability across all of their technology in the IT ecosystem.”

The report is based on a survey, conducted by IDG Connect, of 450 IT managers in Germany, the U.K. and the U.S. These individuals come from organizations with 1,000 or more employees in sectors such as financial services, computer services and retail businesses, and 65% of the survey group hold C-level positions.

Arlo: An open source post-election auditing tool

The Cybersecurity and Infrastructure Security Agency (CISA) is teaming up with election officials and their private sector partners to develop and pilot an open source post-election auditing tool ahead of the 2020 elections.

The tool, known as Arlo, is being created by VotingWorks, a non-partisan, non-profit organization dedicated to building secure election technology.

About Arlo

Arlo is open source software provided free for state and local election officials and their private sector partners to use.

The tool supports numerous types of post-election audits across various types of voting systems including all major vendors.

Arlo provides an easy way to perform the calculations needed for the audit: determining how many ballots to audit, randomly selecting which ballots will be audited, comparing audited votes to tabulated votes, and knowing when the audit is complete.

The first version of Arlo is already supporting pilot post-election audits across the country, including several from this month’s elections.

Some partners of this pilot program include election officials in Pennsylvania, Michigan, Missouri, Virginia, Ohio, and Georgia. Additional partners will be announced in the coming weeks.

Improving post-election auditing

CISA’s investment is designed to support election officials and their private sector partners who are working to improve post-election auditing in the 2020 election and beyond.

“Heading into 2020, we’re exploring all possible ways that we can support state and local election officials while also ensuring that Americans across the country can confidently cast their votes,” said CISA Director Christopher Krebs.

“At a time when we know foreign actors are attempting to interfere and cast doubt on our democratic processes, it’s incredibly important elections are secure, resilient, and transparent. For years, we have promoted the value of auditability in election security, it was a natural extension to support this open source auditing tool for use by election officials and vendors, alike.”

“We’re very excited to partner with CISA to develop Arlo, a critical tool supporting the implementation of more efficient and effective post-election audits. Because Arlo is open-source, anyone can take it and use it and anyone can verify that it implements audits correctly,” said Ben Adida, Executive Director of VotingWorks.

Inadequate data sanitization puts enterprises at risk of breaches and compliance failures

Global enterprises’ overconfidence and inadequate data sanitization are exposing organizations to the risk of data breach, at a time when proper data management should be at the forefront of everything they do, according to Blancco. Three quarters (73 percent) agreed that the large volume of different devices at end-of-life leaves their company vulnerable to a data security breach, while 68 percent said they were very concerned about the risk of data breach related to end-of-life … More

The post Inadequate data sanitization puts enterprises at risk of breaches and compliance failures appeared first on Help Net Security.

Top concerns for audit executives? Cyber risks and data governance

As organizations continue to collect customer and employee data, chief audit executives (CAEs) are increasingly concerned about how to govern and protect it. Gartner conducted interviews and surveys from across its global network of client organizations to identify the biggest risks facing boards, audit committees and executives in 2020. Data governance has risen to the top spot of CAEs’ audit concerns, up from second place in last year’s report, replacing cybersecurity preparedness. Increased regulatory scrutiny … More

The post Top concerns for audit executives? Cyber risks and data governance appeared first on Help Net Security.