Internal Audit’s Critical Role in Cybersecurity
In an ideal world, cybersecurity plans are well-designed, routinely tested, and executed flawlessly. Everyone knows their role and follows the policies and practices designed to protect the organization from shadowy evil-doers lurking in the ether.
Boards and management are quick to recognize changes in risk and technology, and promptly act to modify plans, as needed. Cybersecurity efforts are supported and strengthened by a healthy organizational culture.
Of course, we don’t live in an ideal world.
Organizations must constantly monitor cybersecurity practices, policies, and plans. This is where internal audit plays a crucial role. Once cybersecurity plans are created, organizations should enlist internal audit to do what it does best – test for effectiveness and efficiency of controls and protocols, and provide the board and management with assurance about those protections.
There are four areas where internal audit focuses on cybersecurity:
1. Provide assurance over readiness and response. According to The IIA Audit Executive Center’s 2016 North American Pulse of Internal Audit report, just one in four respondents who reported having a business-continuity plan said it provided “clear, specific procedures for responding to a cyberattack.” What’s more, 17 percent reported their plans had no such procedures at all. This is the kind of data that should keep the C-suite and board up at night.
Internal audit can help organizations review and test cybersecurity, business-continuity, and disaster-recovery plans. The potential for reputational harm that poorly managed business disruptions create is significant, and it is far better to find faults through mock exercises than in a real-life scenario.
2. Communicate to the board and executive management the level of risk to the organization and efforts to address such risks. Understanding how much of a risk cyberattacks pose and what is being done to mitigate them is essential to managing the risk.
3. Work collaboratively with IT and other parties to build effective defenses and responses. Cyber risk is a business risk, not just an IT risk. Too often, it is magnified, modified, and mystified by being supported solely by IT systems. Building strong, collaborative relationships between internal audit and IT will help ensure mitigation efforts and responses are effective.
4. Ensure communication and coordination. This may be the most valuable benefit internal audit can offer. Because a well-resourced and effective internal audit function has a broad perspective about organizational risks, it is in an ideal position to promote communication and coordination about cyber risks across the organization.
Turf battles over who “owns” the cybersecurity risk are counterproductive and weaken the organization’s cybersecurity efforts. A unified effort where roles are clearly defined creates the best conditions for deterring cyberattacks, executing business-continuity plans when cyberbreaches occur, and building cyber-resilient organizations.
Despite its complexity and formidable challenge, effective cybersecurity is within the reach of most organizations. By using the “Four Rs” – resist, react, recover, and re-evaluate – organizations can build effective cyber-resilience plans.
The recent WannaCry cyberattack provided a shocking wakeup call that even the most basic phishing attacks still can have devastating impacts. The ransomware virus, which claimed more than 200,000 victims in 150 countries, could have been successfully rebuffed with basic cybersecurity measures.
- Instruct employees on defensive cyber etiquette, and enlist internal audit to test for compliance.
- Take advantage of available frameworks and guidance, such as NIST’s Framework for Improving Critical Infrastructure Cybersecurity or the Nymity Privacy Management Accountability Framework.
- Understand the process and importance of software and data updates, and enlist internal audit to test for compliance.
- Test IT controls regularly.
When a cyberbreach occurs, a crisis-management plan is an essential component of effective business-continuity management.
- Immediately assess the scope of the breach and method for addressing it.
- Ensure that each part of the organization understands and carries out its role in crisis-management and business-continuity plans.
- Communicate with transparency and with a single voice.
- Internal audit should monitor and assess the response.
Strong business-continuity planning and proper execution of those plans can help an organization quickly recover from a cyberbreach.
- Identify necessary steps to safely and quickly restore business operations.
- Ensure frequent internal communications throughout the recovery.
Analysis of processes, procedures, and their execution is essential once the crisis has passed and operations are restored and secure.
- Look for ways to improve the crisis response.
- Determine training/retraining needs.
- Consider what role, if any, corporate culture played in contributing to the breach.
- Review data and security privacy policies.
- Consider what role, if any, third-party risks played in contributing to the breach.
Successful cybersecurity requires a unified and coordinated effort. Management and boards can manage the effort effectively if they understand the scope of the challenge, commit the necessary resources to develop and execute an informed strategy, support internal audit’s independent oversight and review, and nurture open communications and cooperation among the key players.
Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is president and CEO of The Institute of Internal Auditors, the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications. Established in...