How Internal Auditors Can Strengthen Cybersecurity in Their Organization19, November 2018
When one thinks of internal audit, they probably don’t associate it with the technical field of cybersecurity – but that’s changing. Internal auditors are known to be the eyes and ears of the company as they oversee their organization’s risk management, governance and internal control processes, making sure they are operating effectively. As technology and business continue to intertwine rapidly, cyber attacks are considered a major business risk, thereby granting internal auditors domain over an area primarily dominated by IT professionals.
Despite the differences between the two functions, internal auditors are poised to be the support that IT teams will need going forward since the outlook on cyber risk isn’t rosy. Risk Based Security reports that 2018 will have the second-most number of reported breaches in a year since 2005. That estimates to 3,676 breaches and 3.6 billion records compromised, and only 13 percent of those breaches were discovered internally. Additionally, Cybersecurity Ventures estimates that there will be a ransomware attack on businesses every 14 seconds by the end of 2019.
As cybersecurity threats grow stronger, so must the cybersecurity defenses of every organization. That means no one function can solely “own” cybersecurity–it must be a cooperative effort. Here are some ways internal auditors can help their IT teams strengthen cybersecuriy in their organization:
Advise on Cybersecurity Best Practices
There are more resources than ever on protecting yourself and your company from data breaches, phishing and other cyber attacks. However, since IT and security professionals are busy with day-to-day security and risk measures, they often don’t have time to keep abreast of new security measures, frameworks or regulations, as well as making sure they’re effectively implemented. Therefore, internal auditors can be allies to cybersecurity teams by introducing new best practices and figuring out which ones fit with the company’s overall cybersecurity strategy. They can then communicate to other departments, executive management and board members on the company’s cyber risks and how they are mitigated by these best practices.
Review and Test Cybersecurity Practices
Objectivity is important when assessing the effectiveness of cybersecurity practices, and that is precisely what internal auditors can provide to their IT department. An unbiased, yet critical review of the measures and controls currently in place gives IT teams the feedback they need to improve their existing security measures or consider a risk they haven’t mitigated. As stated earlier, IT professionals are bogged down by the day-to-day security tasks so they can’t always see the big picture when it comes to the organization’s cyber risk. A well-structured and thorough test of preventative measures and mitigation measures if a cyber attack does occur adds another layer of protection against even the most complex threats. Doing this also presents an opportunity to find if more security tools or personnel are needed to fully prevent and mitigate threats.
Create a Response Plan in Case of a Crisis
Part of cybersecurity is knowing how to respond to an attack after it’s occurred. Despite all the planning and preparation for a cyber attack, it can still happen even with a minimal chance of occurring. Regardless of the odds, it’s still crucial to have a crisis plan ready for response to multiple scenarios. Internal auditors can develop this plan by assessing which risks are most likely to occur and create steps for each business function to follow in the event of a cyber attack. No matter the source of the breach, every function has a role to play. Internal auditors also have the responsibility to oversee that each function is carrying out their part of the plan and to review the effectiveness of the plan once the breach is contained.
As it turns out, most companies don’t even have a formal cybersecurity incident response plan (CSIRP) in place. A global study conducted by the Ponemon Institute reports that 76 percent of companies did not have a CSIRP in 2017. Cyber attacks are no longer a matter of if they will happen, it’s when they will happen. Internal auditors can take the lead and work collaboratively with IT, executive management, marketing communications, and other functions to develop a comprehensive crisis plan for high-, medium-and low-level cyber threats.
It’s no surprise then that cybersecurity should be a coordinated effort across the company. Internal auditors offer an expansive risk-aware expertise and skillset that allows them to bolster cybersecurity and support IT departments in their effort to keep the company secure.