Exploring the link between big data, cybersecurity and audit
Auditors provide trust and assurance on the basis of (among other things) their verification of the data underlying the assertions made by others. The digital revolution has brought new risks to these data , concerning their reliability and intrusion by others. In March 2019, the ECA published a briefing paper on the challenges to effective delivery of the EU’s cybersecurity policy. This paper aimed to provide an overview of the EU’s complex and multi-layered ecosystem regarding cybersecurity, as well as providing points for reflection for policy makers and practitioners. As head of task, Michiel Sweerts, a Senior Auditor at the ECA, was responsible for this review. He is also currently developing the ECA’s cybersecurity knowledge node. In this article, he explores the relationship between big data, cybersecurity and audit.
By Michiel Sweerts, External action, Security and Justice Directorate
Trust in data matters, even more so in the fourth industrial revolution
Trust lies at the heart of cybersecurity, big data and audit. Without adequately securing our hardware, software and data, users’ trust will be eroded and technological innovation will suffer. Without trust in the veracity of our data, how can we ensure its quality and use? And without the trust that audit can provide to provide assurance that what organisations say about their security levels reflects reality, not only will share- and stakeholders ask if their money is safe, but also their data. As the fourth industrial revolution continues apace, the linkage between these three will continue to grow in importance.
Protecting data through cybersecurity
Broadly speaking, cybersecurity is all about the safeguards and measures adopted to defend information systems and their users against unauthorised access, attack and damage to ensure the availability (1), confidentiality (2) and integrity (3) of data. It involves preventing, detecting, responding to and recovering from cyber incidents. These incidents may be deliberate or not and range, for example, from accidental disclosures of information, to attacks on businesses and critical infrastructure, to the theft of corporate and personal data, and even interference in democratic processes. All can have wide-ranging harmful effects on individuals, organisations and communities.
The types of cybersecurity threats are myriad, for example, ransomware, distributed denial of service, social phishing or advanced persistent threats. They can be classified according to what they do to data — disclosure, modification, destruction or denied access — or by the core information security principles they violate, as shown in Figure 1 below.
Figure 1 — Threat types and the security principles they put at risk
Using cybersecurity to strengthen big data, or big data to strengthen cybersecurity?
Big data is used to describe very large data sets that are mined and analysed to identify patterns and behavioural trends. The explosive growth in data is being driven by various factors, including digital transformation, ever greater access to mobile applications, the falling cost and ease of storing data, the advent of the Internet of Things (IoT), and the advent of machine learning.
The traditional 3 V’s of big data are volume (the scale of data), velocity (analysis of streaming data) and variety (different forms of data). To these have been added in recent years, veracity (uncertainty of data, i.e. is what the data shows true?) and value (intrinsic worth of aggregated, machine-readable structured and curated, unstructured data that drives decision-making). One V that is not named in association with big data, but is certainly worthy of critical consideration is vulnerability: the more data that is put out there, in ever more complex forms of storage, and shared among ever more individuals within organisations, the greater the risk that this data could be accessed by malicious actors (‘collect everything and throw away nothing’). Much of this data is personal — think of mobile phone records, social media activity, web server logs, internet click stream data — so protecting personal and sensitive information must be a top priority for any organisation.
Data is accessible from so many points today through mobile and cloud services that it is no longer possible to cordon this off. Data has also been steadily ‘democratised’ throughout organisations where it has been made increasingly available to all levels. On the upside, this can potentially serve to maximise the data’s value as it can lead to greater operational efficiencies, product developments or enhanced customer experiences. On the downside, staff have access to more data than they need, and this represents a security risk: people still represent the greatest threat to organisations, with insiders accounting for the largest part of breaches. These elements converge to result in an ever-increasing attack surface, leading to a shift from ‘perimeter’ protection of network and information systems towards the monitoring and detection of malicious activities inside these networks and systems. This means defending the data itself. And because this data represents so much of an organisation’s value nowadays, it is hardly surprising that it is therefore at greater risk than ever before.
Effective cybersecurity measures are therefore needed more urgently than ever to protect networks, systems and data from intrusion. The numbers vary — depending on who you read — but they all point in the same direction: cyber-attacks are surging. And while it is clear that cybersecurity exists for the benefit of protecting amongst other things — big data, can big data be used to benefit cybersecurity?
As cyber attacks increase in their sophistication and frequency, traditional software is often no longer capable of offering the necessary protection needed. Big data analytics and machine learning (itself a big generator of data), can enable a near real-time analysis of information, which in turn may provide not only useful threat warnings but also the possibility to develop suitable counter-measures to fend off attacks. For example, using multiple data sources and machine learning to analyse authentication and authorisation log reports, network activity, and resource access can help to correlate this information, to identify changing behavioural and use patterns, to detect vulnerabilities, and to compare what is normal versus what is not expected.
Improving incident response can also be powered by big data. Some of the largest breaches that have taken place to date show that while the attacks themselves can spread incredibly quickly, sometimes within minutes, the corporate responses lag significantly behind — exacerbating the damage and loss caused. As more information is collected about attacks and how they are reacted to, so this will enable the development of automated playbooks that enable intelligent and instant incident responses.
Box 1 — ECA briefing Paper 2/2019 — Challenges to effective EU cybersecurity policy
The objective of the briefing paper, which was not an audit report, was to provide an overview of the EU’s complex cybersecurity policy landscape and identify the main challenges to effective policy delivery. It covered network and information security, cybercrime, cyber defence and disinformation. We identified ten challenges, as shown in Figure 2. Achieving a greater level of cybersecurity in the EU remains an imperative test. In addition, we included a series of reflection points for policy-makers, legislators and practitioners. The paper is also being used to inform the ECA’s future audit work in this area.
The growing need to audit cybersecurity governance
A major challenge for the cybersecurity profession is to shift the wider public’s thinking on the nature of cybersecurity. For too many in leadership positions in both the private and public sector, cybersecurity continues too often to be perceived as an IT problem or technology issue to be dealt with, rather than a significant business or organisational one. To address this requires effective cybersecurity governance in all organisations, especially those with growing valuable data; it is well-established that weaknesses abound today in cyber governance. Developing a culture of cyber hygiene is incumbent on all who interact with organisational data — be they corporate insiders or external parties like auditors.
This will therefore have repercussions on audit as well: there is an increasing need for effective cybersecurity audits to ensure that organisations are protecting themselves against cyber threats. Cybersecurity audits should not merely focus on the technical aspects of security controls, but go much further to assess the effectiveness of the controls in place to identify the threats, risks and vulnerabilities faced by the organisation. This would also include governance, risk management, awareness-raising and training, legal and regulatory compliance, information security policies and procedures, and so on. And as the technology evolves and the location of information and (big) data shifts to the cloud, will existing controls suffice? Or will they need to be modified, or even replaced altogether?
For national supreme audit institutions (SAIs) and the ECA, this will increasingly need to become a part of the periodic audit landscape. Our briefing paper has provided us with the impetus to audit the EU institutions’ own cyber-governance arrangements in the foreseeable future (see also Figure 2). In Australia, for example, the ANAO has carried out five performance audits since 2013 covering 17 government entities’ compliance with the Australian Government’s Information Security Manual.
Figure 2 — EU cybersecurity policy: ten key challenges
We must also bear in mind the question of how — given our unique access rights to client data — can we ensure that, as auditors, we are sufficiently cybersecure ourselves to avoid providing a backdoor access to hackers who wish to target our clients? What we expect of auditees should be mirrored in our audit organisations. Auditors’ reputations depend on their trustworthiness. While no system can guarantee 100% prevention of cyberattacks, auditors must lead by example by ensuring that they are beyond reproach in securing their own networks and the client data they hold. Any breach of our own systems as auditors that may expose highly sensitive information would be highly damaging.
Integrating cybersecurity into the normal audit process
Organisations, politicians, consumers and citizens want to be able to trust that the data they share is secure, that the data used for decision-making is trustworthy, and that auditors not only provide assurance that can be trusted, but also that they are trustworthy custodians of the data they have been provided with. Big data and cybersecurity will continue to reinforce one another, and auditors must ensure that going forward, cybersecurity becomes integrated into the normal audit process.
(1) Ensuring timely and reliable access to and use of information.
(2) The protection of information and data from unauthorised access.
(3) Guarding against the improper modification or destruction of information, and guaranteeing its authenticity.
This article was first published on the 1/2020 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.
