Information technologies are ubiquitous in the 21^st century. Smart phones, tablets, and various other connected devices have, in only a few years, become fully integrated in our daily lives. The pace of technological innovation is steadily accelerating, with futuristic-sounding ideas, like self-driving cars, being set to soon become a reality.

While all these new technologies have brought citizens of all nations important benefits and opportunities, they have also introduced new risks that need to be carefully managed. Computer viruses, ransomware, phishing, hacking, and identity theft are all examples of information technologies being used for wrongful purposes, often with disastrous and costly results. Rarely a month goes by without the news media reporting yet another large corporation being hacked and the private information of thousands, sometimes millions, of individuals being stolen by cyber pirates (be they thrill-seeking teenagers, “hacktivists,” perpetrators of organized crime, terrorists, or hostile state actors).

The wrongful use of information technologies can have consequences far beyond the theft of private information. Public sector organizations are also at risk. In recent times, for example, cyber pirates have successfully stolen more than 20 million personnel records at the United States Office of Personnel Management and deleted all the data in Saudi Arabia’s national oil company’s IT systems. In the United Kingdom, they also took many hospital IT systems hostage through the use of ransomware, forcing some hospitals to cancel non-urgent appointments.

Furthermore, because public industrial and transport infrastructure are now increasingly connected to corporate networks and the Internet, they have become susceptible to cyber attacks that can cause physical damage and disrupt important services. For example, in recent years, hackers have managed to temporarily shut down electricity generation in Ukraine and also damaged a steel mill in Germany and nuclear program equipment in Iran.

All connected assets, from smart phones to self-driving cars to industrial control systems, are, to some extent, at risk of being hacked. And, as time passes, the number and types of connected devices increase rapidly, as does the number of hackers and their skills at finding weaknesses in IT systems.

In this environment, public sector organizations must remain hyper-vigilant. They must implement the latest good practices in IT risk management to protect their IT assets from unauthorized access and to prevent the use, disclosure, disruption, modification, review, and destruction of the information they contain.

Only by effectively managing their IT security risks will public sector organizations be able to:

• protect the confidentiality, integrity, and availability of the information they possess;
• protect key public infrastructure, such as electricity production installations and public transit systems, from cyber attacks; and
• ensure business continuity and the availability of services to citizens.

Internal and legislative auditors can support public sector organizations to achieve these goals by providing independent assurance about whether IT security risks are well managed and by making recommendations for improvements where needed.

Download PDF version