Danil Melekhin/iStock

Internal Audit Taking a More Holistic Approach to Cybersecurity

Aug 19th 2015
Share this content

Cyberattacks are the reality of business today, but a strong internal audit function can provide the holistic approach to cybersecurity that's needed to survive.

It's all about preparation – not just in anticipating an attack but in getting through it and recovering from it, according to a new report, Internal Audit's Role in Cyber Preparedness: The Importance of a Holistic Approach, developed by the Institute of Internal Auditors (IIA) Research Foundation.

“Organizations must get beyond simply trying to keep the cyber-invaders out,” IIA President and CEO Richard Chambers said in a prepared statement.

According to the survey results, that approach is sorely needed. When IT workers, risk managers, and accountants were asked to rate the risk level of damaging data breaches at their companies, all of them indicated moderate to extreme levels. (Interestingly, IT workers and risk managers were almost opposite in their estimation of risk. IT workers indicated a 46 percent extreme risk and 36 percent moderate. Risk managers estimated a 35 percent extreme risk and 42 percent moderate.)

Internal audit has the “enterprise-wide perspective” to institute that holistic approach, according to the report. Chief audit executives (CAEs) are in a particularly sensitive position to educate boards and audit committees about cybersecurity needs.

“The challenge with cybersecurity is that it is an unknown risk, and boards and audit committees don't see it in the same way they see other risks that can create business disruptions,” James Reinhard, auditing director at Simon Property Group Inc., said in the report. “It's up to the CAE to possibly bring in the chief information officer (CIO) or someone from corporate communications to begin to build awareness about what's already being done within the organization.”

The report highlights five areas in which internal audit can play a key role in the holistic approach to cyber preparation.

  1. Protection and identification of vulnerabilities.
  2. Employ data analytics to detect breaches. CAEs should work with IT, CIOs, and chief information security officers to make sure proper controls are in place.
  3. Ensure that business will continue.
  4. Proper crisis management and communication preserves a company's brand reputation – and reassures customers and shareholders.
  5. Education is ongoing. Strategies can be improved upon to better deal with the next attack.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.