Internal Audit Taking a More Holistic Approach to Cybersecurityby
Cyberattacks are the reality of business today, but a strong internal audit function can provide the holistic approach to cybersecurity that's needed to survive.
It's all about preparation â not just in anticipating an attack but in getting through it and recovering from it, according to a new report, Internal Audit's Role in Cyber Preparedness: The Importance of a Holistic Approach, developed by the Institute of Internal Auditors (IIA) Research Foundation.
âOrganizations must get beyond simply trying to keep the cyber-invaders out,â IIA President and CEO Richard Chambers said in a prepared statement.
According to the survey results, that approach is sorely needed. When IT workers, risk managers, and accountants were asked to rate the risk level of damaging data breaches at their companies, all of them indicated moderate to extreme levels. (Interestingly, IT workers and risk managers were almost opposite in their estimation of risk. IT workers indicated a 46 percent extreme risk and 36 percent moderate. Risk managers estimated a 35 percent extreme risk and 42 percent moderate.)
Internal audit has the âenterprise-wide perspectiveâ to institute that holistic approach, according to the report. Chief audit executives (CAEs) are in a particularly sensitive position to educate boards and audit committees about cybersecurity needs.
âThe challenge with cybersecurity is that it is an unknown risk, and boards and audit committees don't see it in the same way they see other risks that can create business disruptions,â James Reinhard, auditing director at Simon Property Group Inc., said in the report. âIt's up to the CAE to possibly bring in the chief information officer (CIO) or someone from corporate communications to begin to build awareness about what's already being done within the organization.â
The report highlights five areas in which internal audit can play a key role in the holistic approach to cyber preparation.
- Protection and identification of vulnerabilities.
- Employ data analytics to detect breaches. CAEs should work with IT, CIOs, and chief information security officers to make sure proper controls are in place.
- Ensure that business will continue.
- Proper crisis management and communication preserves a company's brand reputation â and reassures customers and shareholders.
- Education is ongoing. Strategies can be improved upon to better deal with the next attack.
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.