Cyber Security

No IT system is 100% secure. What matters is how prepared you are. Understanding the criticality of information security, TIAA have a number of specialist Cyber Security experts ready to provide assurance, training and advice.

Risk and damage limitation

“Some attacks will get through. What you need to do is cauterise the damage.” Ciaran Martin, Former Head of the National Cyber Security Centre

The Information Commissioner’s Office requires notification of a data breach of personal information, resulting from a cyber-attack, within 72 hours. Many organisations don’t have robust monitoring capability to detect such incidents, let alone pro-actively identifying patterns which could show the initial stages of attack.

TIAA’s approach recognises the importance of a multi-layered approach to cyber security protection. Utilising our robust and holistic suite of tools, we can provide a range of audits and assurance pieces which provide challenge to the Cyber Security Management System, in both maturity and technical controls. Our approach is fully integrated, and we assist organisations in identifying any root cause indicators which are compromising the security posture. We take great pride in being able to translate and convey this hugely complex area into a form which is compatible with delivering sound business assurance.

Readiness to respond and recover

As a fully integrated element of Digital Audit and Assurance, we utilise our in-house skills and resources, to provide a seamless service for the organisation. This can include linkage to Fraud Resilience and Investigatory Services, Utilisation of Passive Penetration Testing (vulnerability scanning), and deep dive digital forensics reviews. With our help, we can make sure your organisation has appropriate readiness to respond and recover, thereby minimising potential disruption, financial loss, or reputational damage.

Recognising user education and awareness as a key element in achieving the National Cyber Security Centre (NCSC) 10 steps to cyber security, we can offer an extensive range of training services to empower your staff.

who we help

We offer bespoke business assurance services tailored for each industry and sector


At the heart of effective Housing Associations are data collection systems that provide information to support decision making, stock condition, rents, loans, tenant services, health and safety and achievement of consumer standards.  Some of this information may be highly sensitive personal information relating to safeguarding individuals.  Compliance with the Data Protection Act to ensure the security, data integrity, and availability of these systems is paramount. An increase in remote working has added to the cyber security risks associated with critical information assets. In an attempt to exploit changes in the way of working, ransomware, malware and phishing attacks are increasing.   Many Housing Associations use Cloud IT service providers, and may have limited in-house IT capability or capacity. Cloud services are experiencing an increase in attacks such as account hijacking and impersonation.

In order to provide assurance on the management of these risks we can provide focussed reviews in specific areas such as:

  • Software Application Control reviews of your data collection systems
  • Data Analytics reviews to examine data integrity and quality
  • Cyber Security reviews and vulnerability scanning of your technology assets and infrastructure (including cloud services)
  • Data Protection Compliance Audits.


Digital technology underpins the delivery of the National Health Service Long-Term Plan.  An effective healthcare system will increasingly require a more joined up and co-ordinated approach; increased agility in providing proactive services; and improving population health.   Alongside redesign of provider healthcare provision and improvements in out-of-hospital care, digitally enabled primary and outpatient care will enable a more effective approach to the delivery of services. Clinical Safety and Healthcare data are probably two of the most sensitive aspects associated with improving patient care wellbeing and personal data privacy for patients. Healthcare holds vast amounts of data on the population, and many of the patient services it offers are dependent on the safe, controlled sharing between services and IT applications. Cyber security remains a significant risk to NHS organisations where successful attacks could potentially lead to disruption of services, loss or tampering with data that may lead to patient harm.

In order to provide assurance on the management of these risks we can provide focussed reviews in specific areas such as:

  • Digital Programme and Project assurance reviews aligned to your objectives
  • Patient Software Application Reviews of your patient data collection systems that take into consideration clinical safety
  • In depth Cyber Security reviews and vulnerability scanning of your technology assets (including medical devices) and infrastructure
  • Focussed Information Governance review to provide independent assurance toward achievement of the requirements of the NHS Data Security and Protection Toolkit.
Higher Education


The Education sector has faced unique challenges and technology risks. The sector has needed to show agility in its strategic response to recent events by embracing on-line learning for students as well as ensuring that the workforce can safely deliver these services remotely.  Significant risks to cyber security have crystallised across the sector with some providers of cloud services and their education customers subject to data breaches and disruption of payment services.  A traditional open access approach to IT security commensurate with academic need needs to be balanced with effective security solutions to protect educational institutions, intellectual property and students. In addition, each year it has a fresh set of students who will all need to learn and adopt IT security measures.  The IT estate of devices is also challenging, as users tend to have their own device, which cannot be forced to be secure or compliant with best practices.

In order to provide assurance on the management of these risks we can provide focussed reviews in specific areas such as:

  • In depth Cyber Security reviews of your corporate and academic network design supported with vulnerability scanning of your technology infrastructure
  • Targeted assurance reviews of on-line cloud learning platforms and Student Information Systems
  • Technical assurance reviews of remote working solutions
  • Reviews of digital strategy re-alignment.


Charities face unprecedented times with funding pressures and increased service demand.   In response, a strong presence is required in the digital marketplace to support fund raising and provision of charitable services.  Databases of donors need to meet legislative requirements for Data Protection.  Recent high-profile attacks, such as the Blackbaud platform hack, have caused substantial increase in risk to Charities who are largely dependent on cloud-provisioned services for all aspects of IT and administration. Charities may suffer irreversible damage to their reputation and subsequently their income, if a cyber-attack results in a breach of personal data of those donating.

In order to provide assurance on the management of these risks we can provide focussed reviews in specific areas such as:

  • Digital Strategy reviews
  • Cyber Security reviews of your digital infrastructure
  • Targeted assurance reviews of fund raising apps
  • Reviews of Data Protection Compliance.


Digital trends indicate that local government are increasingly looking at off-premise digital infrastructure solutions to support economies in the delivery of their services.  The increase in remote working is also driving a digital transformation toward cloud-based applications. The Public sector has been struggling with significant reductions in income, and expectation of delivering the same services with less resource. As a result there may be inadequate investment in IT, leading to the potential for technical debt. This may manifest in reduction in the availability or functionality of key IT systems. Poorly specified IT can also lead to cyber security breaches, poor user experience or inefficient business processes e.g. lack of system Interoperability due to the perpetuation of an unsupported version.  The closer working between social care and healthcare services has requires consideration of integrated solutions to improve public health, whilst ensuring mitigation of the Data Protection risks associated with information sharing and safeguarding the vulnerable.

In order to provide assurance on the management of these risks we can provide focussed reviews in specific areas such as:

  • Reviews of Digital Infrastructure solutions and shared IT services
  • Cyber Security reviews
  • Technical assurance reviews of remote working solutions
  • Targeted assurance reviews of software applications used to support service delivery
  • Reviews of Data Protection Compliance.


We also offer services to other sectors, including Credit Unions and Private and Commercial organisations.  Please get in touch if you would like to find out more about these services.

Get the full TIAA experience and find out how we can help your business

Meet the team

Who you’ll be working with

our clients

TIAA have been fortunate to work with companies in all sectors across the UK

Enquire now

Looking for Business Assurance Services?