Cyber-attacks are growing exponentially as our world becomes more digitally integrated on a global scale. From ransomware holding data hostage to phishing attacks spoofing innocent users, cybercriminals are looking to exploit the exponential amount of data existing in today’s world for easy payouts. A troubling stat from Cybersecurity Ventures estimates cybercrimes will costs businesses $6 trillion annually by 2021, up from $3 trillion in 2015.
Companies are now looking beyond simply addressing this existential threat with strong information technology (IT) security and leveraging the expertise of internal audit groups to report on the effectiveness of cyber risk management functions within the organization. Internal audit provides a valuable independent, objective assurance helping business leaders gain insights into improving processes and controls resulting in decreased expenses, enhanced performance, and increased profits. The global accounting firm KPMG recently released their Top 10 in 2020, a report outlining specific areas where internal audit groups should focus to add value across the enterprise while maximizing its influence on the organization. Coming in at #4 on their list is cybersecurity, something we will look at in closer detail.
This article will focus on the need for internal audit to play a central role in assisting organizations judge the effectiveness of current cybersecurity measures and how these can be improved to meet the ongoing challenges of cybersecurity.
Top Drivers of Focus on Cybersecurity
New & Emerging Cyber Threats
Cyber threats are increasing in frequency and variation at an immense speed. By the time an organization has analyzed one type of cyber threat there is another one waiting in the dark to be implemented for illicit gain. Organizations must accept the fact that cyber-attacks are here to stay and will only grow in terms of complexity in order to leverage any and all system vulnerabilities.
Internal audit groups can help organizations stay vigilant and resilient by assessing capabilities to manage these growing threats. Just how internal audit helps companies stay in compliance with industry specific regulations, the same processes can be applied to internal cybersecurity to quell external threats.
Avoiding Disastrous Consequences of Data Breaches
Data breaches are bad for business. These catastrophic events result in exposure of internal data, the possibility of regulatory actions, and reputational damage which can tarnish an organization’s brand for years after a breach occurs. No company wants to end up on national or even global news networks due to a breach, if you need any examples of who not to be simply look up companies like Equifax, Target and Yahoo.
The latter is the largest breach of this century resulting in an estimated 3 billion accounts being compromised in 2014. Internal audit has the skills and tools to make sure businesses stay off these lists of massive cyber breaches which put a stain on the entire organization which can last for decades.
Preventing Loss of Valuable Data & Capital
Digital pirates are in search of one thing when it comes to cyber-attacks, access to data. The three types of data which are most commonly exposed during a breach include personal identifiable information (PII), personal financial information (PFI), and personal health information (PHI). The most popular group of data to be stolen by cybercriminals is PII, with a reported 42.9% of all data lost in 2016. The theft of personal customer data adversely impacts innocent customers which is the greatest loss for any organization, when customers cannot trust your business to keep their private data safe, they will take their business elsewhere.
Loss of customers is only the tip of the iceberg as other compounding effects are the reputational damage and impact to the bottom line from regulatory fines which can be quite hefty. Internal audit groups must assess and report on the effectiveness of internal systems on how valuable data is being protected from outside threats to avoid catastrophic breaches from decimating the company’s bottom line.
Top Ways Internal Audit Can Support Effective Cybersecurity
Gartner recently published their 2019 Audit Key Risks and Priorities Survey which highlighted 77% of audit departments plan to cover cybersecurity detection and prevention in their activities in the next 12-18 months. However, only 53% of audit departments surveyed are confident in their ability to deliver assurance over cybersecurity detection and prevention risks. Internal audit teams can help their businesses ensure effective cybersecurity processes and protocols by following these tips:
Reviewing Device Encryption
Businesses today are more mobile than ever before. Laptops, mobile devices, tablets, and even smart watches can all send and receive company data which could hold sensitive information. Internal audit groups should make it a priority to review data encryption protocols across all devices used for business. Assessing password strength, two-factor authentication, virtual personal network (VPN) connections can be an effective strategy to ensure company data is staying safe from outside parties.
Evaluating employee security training
The Ponemon Institute and IBM’s annual Cost of a Data Breach report found that 25% of all data breaches in 2018 were caused by human error. Human errors are always going to occur in business but with proper education programs in place, businesses can significantly lower the risk of human errors leading to vulnerabilities in cybersecurity. Internal audit groups should actively be engaged in assessing cybersecurity training programs, taking a close look at the scope, frequency, and content effectiveness of these programs.
One example is phishing training for internal employees to know what to look for in suspicious emails to not accidently click on a fraudulent link or transfer funds to an illicit account. These situations can be avoided by cybersecurity education delivered in a consistent and clear manner, internal audit can make sure these educational programs remain effective to keep sensitive data in and cybercriminals out.
Participating actively in cybersecurity-related groups & committees
Internal audit can play a central role in cybersecurity effectiveness by simply becoming active and collaborating with internal stakeholders on cyber-related issues. Internal audit should play an active role in cybersecurity groups and committees to develop cybersecurity strategies and policies. This will help identify, assess, and mitigate cyber risks which are present and emerging in the company’s business environment. Transparency is also a major outcome when internal audit is actively involved in discussions revolving cybersecurity practices. This can help bring to the surface underlying security issues which may cause adverse outcomes if not identified and analyzed properly.
Wrapping Up
Internal audit already plays a vital role in ensuring the effectiveness of risk management and compliance within organizations. These teams should also be assessing the effectiveness of cybersecurity programs to combat one of the top risks globally which is cyber-attacks. Digital attacks will only continue to grow in frequency and severity, it is the responsibility of internal audit and all senior leadership to become generals in the war against cybercrimes.
