Trends in technology risks 2024

Cyber security isn’t a new risk. Many organisations already have in-flight cyber security programmes to enhance their controls and their ability to defend, detect, respond, and recover from cyber-attacks. They’re also taking proactive approaches to cyber security assurance by implementing continuous monitoring and more advanced threat detection capabilities. Most organisations today have a range of security-focused assurance mechanisms in place, such as obtaining accreditations (eg, ISO 27001, Cyber Essentials Plus), performing penetration testing, or conducting red-team exercises.

Over the past year we have noted an increasing number of organisations commissioning programmes to further enhance their cyber posture in line with broader and more robust frameworks, such as NIST and CIS. While being well recognised, these frameworks tend to require greater investment to adhere to their requirements and in ongoing assurance.

• Build a unified picture of the organisation’s cyber security assurance processes and shape complementary internal audit plans to build on this existing assurance, reducing duplication.
• Play a key role in providing assurance over cyber security investments and programmes.
• Conduct cyber health checks using established appropriate frameworks, such as NIST or CIS, instead of relying solely on traditional methods like the 10 Steps or Cyber Essentials Plus.
• Assess the arrangements the organisation has in place to defend and respond to a cyber-attack, such as ransomware, including the use of immutable backups and processes for responding to attacks.

The range of third-party providers involved in core business activity is growing. As many organisations reap the benefits of SaaS products and external technical expertise, the operation of the business is increasingly dependent on third parties. This includes many customer-facing services, as well as internal systems (HCM, ERP, etc).

With the increased use of third parties the perimeter of an organisation's cyber defences is effectively increased, consequently the scope of assurance also needs to increase.

Organisations are increasingly establishing in-house capabilities dedicated to marrying skills in both supplier management and security assurance to assess these third parties.

• Review and help define the methodology for assessing the relative continuity, privacy, and security risk of third-party suppliers– as part of which they should identify the high-risk suppliers (these may not be those with the largest spend).
• Assess the security controls over the most important portion of the supply chain – consider risk vs. reward when assessing other suppliers.
• Ensure procurement functions are involved and control assessments of new suppliers are embedded into the onboarding process.
• Encourage the expansion of supplier assurance activities to include assurance over ending relationships with suppliers (returning / destroying data, severing users access, etc).
• Third Party Management teams should engage with other supply chain risk activities (such as ESG, AML, and modern slavery).

As these technologies rapidly advance and permeate various sectors, the urgency to address and manage these risks has heightened, necessitating swift adaptation of regulatory frameworks, ethical guidelines, and security measures to ensure responsible and safe integration.

Several countries have proposed regulations on how organisations can develop and deploy AI. Failure to adopt best practice principles could result in reputational damage if your use of AI is perceived negatively, and if confidential information is disclosed due to a breach or other adverse event.

• Review how the organisation is taking proactive steps to comply with proposed regulations by countries that they operate in.
• Test the effectiveness of AI governance controls, with a focus on ethics, security, explain-ability, transparency, accountability, and contestability.
• Use black box auditing techniques and tools to provide assurance over specific AI use cases within the business.
• Stay informed on evolving AI technologies, collaborating with data scientists, and conduct regular risk assessments.
• Invest in employee training on AI risks and incorporate AI-related audits into regular risk management processes to ensure proactive risk mitigation.

Investment into the decommissioning of Legacy IT has picked up as a reduction in risk appetite at the board level for both resilience and cyber security matters has pushed CTOs and CIOs to prioritise keeping the IT estate evergreen.

Agile methodologies vary greatly in maturity mainly based on the level of experience in those running the transformation agenda. The progression to agile methods alongside the more traditional waterfall approach doesn't reduce the need for project assurance. The same broad risks remain, however the identification of controls points becomes increasing difficult.

Additionally, risk events and the overall risk profile of programmes tend to evolve quicker when agile is adopted, therefore assurance approaches need to reflect this.

• Define a control framework for agile, where delivery teams undertake a comprehensive risk assessment and decide on the Key Risk Indicators (KRIs) to self‑monitor; which will guide the audit team on how to assure.
• Adopt real-time “heartbeat assurance”, where auditors attend scrums, sprint meetings, and governance forums to assess controls for decisions to be made.
• Quantify the increased costs of providing resilience and cyber security from running the legacy estate covering the identification, decommissioning, and funding of out-of-date IT Business as Usual (BaU) costs.
• Ensure new IT solutions are built in sustainable and ‘evergreen’ ways. Futureproof against Legacy IT, including: ensuring that any IP is owned internally, evergreen provisions are included in contracts with service providers; and use MI to monitor the status and risk mitigation for current and end-of-life software.

Cloud assurance issues are increasingly being compounded by the inherent complexity of cloud solutions, lack of visibility at all layers of the computing stack, limited understanding of shared responsibilities for managing cloud controls, and varying compliance requirements for companies operating across multiple jurisdictions.

To address these challenges, organisations need to adopt good practices across all three lines of defence and for giving the same amount of attention across all cloud service models (IaaS, SaaS, PaaS, etc). People are key enablers, therefore teams need to upskill around cloud risks and controls, and call on subject matter experts to provide in-depth tailored insight and independent assurance for the chosen cloud solutions.

• Conduct assessments of cloud environments and controls to provide assurance to senior management and the board of directors.
• Augment teams with cloud subject matter experts who can provide challenge to technology functions on a peer-to-peer level around the design and effectiveness of cloud controls.
• Test the effectiveness of cloud controls and mature assurance activities with increased levels of control testing automation and dashboarding capabilities.
• Review and evaluate third-party vendor risk management processes and controls related to cloud environment.

Security threats and cyber attacks targeting development pipelines will continue to increase in 2024 as the adoption of DevOps practices becomes more commonplace. The increased use of DevOps to manage infrastructure means that even organisations which don't develop software features may also fall prey to these attacks and face data breaches and business disruption.

The fast-paced dynamic nature of DevOps practices is impacting the ability of certain traditional audit methods from keeping pace with change led through DevOps and their ability to provide effective assurance over these.

However, if internal audit and risk functions respond well, the rise of DevOps also presents some opportunities to provide more robust assurance.

• Increase collaboration: auditors should leverage the knowledge of security specialists in the business to guide assessments of risk and whether appropriate mitigations are in place.
• Take learnings from how the technology function have adapted their secure software development practices to DevOps, tailor audit procedures to fit the DevSecOps context.
• Embed security considerations throughout the DevOps cycle, from requirements definition, access to tooling and the source code, to testing and handover to security teams for ongoing monitoring.
• Work with developers and engineers to continuously assess controls, detect anomalies, and generate real-time reports.

Identity and access management (IAM) is a constantly evolving area with increased threats from ‘credential stuffing attacks’ (where credentials obtained from a cyber-attack on one system are used to try and breach another systems) and failures of controls at third parties. With the recent changes to the UK Corporate Governance Code, the importance of internal controls (including IT controls) is now higher than ever on boards’ agendas.

IAM can support the requirements of the Code by ensuring:

• users only have access to data and permissions where there is a genuine business need
• users don’t retain access for longer than is required
• access and changes to key data, and where users perform key transactions, is logged to provide accountability

• Regularly assess the risks and controls in place relating to IAM. This should include privileged access, segregating of duty (SoD) risks, and third-party access for vendors.
• Identify bottlenecks in the operation of controls, common failure points and recommend remediations actions to provide appropriate management of the risks.
• Ensure that IAM controls are considered as part of implementing new applications before they are rolled out.
• Invest in technologies to enable the automated and efficient monitoring of IAM controls and SoD conflicts.
• Encourage management to consider implementing technologies to manage federated access if this is not already in place.

The risks of systems outages are not new and have been high on risk agendas for some time. There continues to be, however, multiple high-profile examples of businesses suffering outages due to issues with Legacy IT, human error, natural disasters, cyber-attacks, and control failures at third parties.

The upcoming revisions to the UK Corporate Governance Code will require boards to monitor and report on risk management and the effectiveness of their internal controls. Given that resilience of technology systems is a major risk faced by organisations, there is an increased need to gain assurance over the controls in place to mitigated this.

• Assess the processes for defining the business’ resilience requirements, including verifying that the appropriate business stakeholders have been involved.
• Conduct assessments of the resilience of the technology solutions (I.e. infrastructure and applications) and third-party service providers (including Cloud providers) against the defined business resilience requirements.
• Assess the plans for managing the risk associated with Legacy IT and identify any gaps and residual risks.
• Take part in, as an active observer, or facilitate, tests of resilience arrangements and the related recovery arrangement.
• Ensure that resilience requirements and controls are considered as part of implementing new applications and contracting with new (including Cloud) providers).

IT control frameworks have been a common practice for financial services firms due to regulatory demands. We are seeing, however, a growing number of large businesses from other sectors commissioning programmes to design, implement and test frameworks. With so many businesses running such programmes simultaneously, and with limited resources available in the market, organisations are facing a resourcing challenge, impacting their ability to deliver these.

The ever increasing expectation and attention on boards to make sure their organisations have sufficient controls in place, including IT controls continues. In this respect Automation and Robotic Process Automation (RPA) have improved IT control programmes by simplifying repetitive tasks, reducing mistakes, ensuring compliance, and enhancing operational efficiency for companies.

• Evaluate management’s identification of the systems that are in scope for completeness of applications, databases, and infrastructure.
• Check whether the framework encompasses all known controls (including application and end user computing controls) based on their understanding of the business.
• Review existing control automation across the organisation and if monitoring is in place that can be leveraged to provide assurance.
• Use automation tools for testing IT controls by applying automated testing scripts, continuous monitoring dashboards, and data analytics to improve efficiency and accuracy in assessments of internal controls.
• Review and track management’s action plans to address any control deficiencies or gaps.