In a study released last month, global consulting firm Protiviti and researchers from North Carolina State University reported that cybersecurity had shot up the list of the top risks facing C-suite executives and corporate board members in 2015. Cyber-risk also represents a major focus of internal audit programs, and according to a new Protiviti report, internal auditors are working more closely with corporate executives to address and manage security risks.
Of the more than 800 internal audit professionals polled for Protiviti’s report, From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions, which was released on March 3, 30 percent said there is a “high level” of board engagement in information security risks. More than half (53 percent) of the internal audit professionals surveyed said cybersecurity evaluation has been included in their company’s current audit plan, and 60 percent noted their organization uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework to measure and evaluate existing programs.
The report also found that nearly half of organizations with a high level of board engagement (47 percent) rate themselves as “very effective” at identifying cybersecurity risk. Seventy percent of organizations that include cybersecurity in their audit plan have a cybersecurity risk strategy in place.
“Across the globe, businesses are continuing to experience cybersecurity issues, challenges, and breakdowns,” said Brian Christensen, executive vice president of global audit and financial advisory for Protiviti. “Our survey shines a light on the evolving set of challenges faced by internal audit professionals as they work to incorporate cybersecurity frameworks into business processes. Those professionals who continue to engage board members and define cybersecurity measures within their annual audit plans will be poised to effectively mitigate future threats.”
Internal audit professionals were asked to rank the biggest cybersecurity risks to their organization on a scale of 1 (posing the lowest level of risk) to 10 (posing the highest level of risk). The top 10 risks were:
1. Data security (company information; 7.9)
2. Brand and reputational damage (7.7)
3. Regulatory and compliance violations (7.5)
3. Data leakage (employee personal information; 7.5)
5. Viruses and malware (7.3)
6. Interrupted business continuity (7.2)
7. Financial loss (6.8)
8. Loss of intellectual property (6.6)
9. Loss of employee productivity (6.4)
10. Employee defamation (5.8)
“In terms of the value of addressing cybersecurity risks, organizations view their ability to identify issues, risk, or control problems early to be most important,” Protiviti stated in the report.
10 Cybersecurity Action Items
The global consulting firm also included in its report 10 cybersecurity action items for chief audit executives (CAEs) and internal audit departments to consider.
1. Work with management and the board to develop a cybersecurity strategy and policy.
2. Seek to have the organization become “very effective” in its ability to identify, assess, and mitigate cybersecurity risk to an acceptable level.
3. Recognize the threat of a cybersecurity breach resulting from the actions of an employee or business partner.
4. Leverage board relationships to heighten the board’s awareness and knowledge of cybersecurity risk, and ensure that the board remains highly engaged with cybersecurity matters and up to date on the changing nature and strategic importance of cybersecurity risk.
5. Ensure cybersecurity risk is formally integrated into the audit plan.
6. Develop – and keep current – an understanding of how emerging technologies and technological trends are affecting the company and its cybersecurity risk profile.
7. Evaluate the organization’s cybersecurity program against the NIST Cybersecurity Framework, while recognizing that the framework does not go to the control level and, therefore, may require additional evaluations of International Organization for Standardization 27001 and 27002.
8. Recognize that with regard to cybersecurity, the strongest preventive capability requires a combination of human and technology security – a complementary blend of education, awareness, vigilance, and technology tools.
9. Make cybersecurity monitoring and cyberincident response a top management priority – a clear escalation protocol can help make the case for (and sustain) this priority.
10. Address any IT/audit staffing and resource shortages, which represents a top technology challenge to many organizations and can hamper efforts to address cybersecurity issues.
In a separate report from the Institute of Internal Auditors (IIA), which was released on March 8 during the 2015 General Audit Management Conference in Las Vegas, nearly seven in 10 internal audit leaders ranked cyberattacks and other security issues as a high or critical priority.
However, only about one-third of the CAEs and directors surveyed said they have a high degree of confidence in their organization’s ability to identify and adequately address emerging risks on a timely basis, according to the IIA Audit Executive Center’s 2015 North American Pulse of Internal Audit.
“It’s clear that organizations must improve how they identify emerging risks and related risk-mitigation strategies,” said IIA President and CEO Richard Chambers. “At the same time, internal audit must improve how it addresses emerging risks and then engage with its stakeholders.”