Cybersecurity is top of mind for most executives and board members, as well as to internal audit.
While the information security team may be in charge of measurably reducing cyber risk within the business, internal audit has an important role to play too.
As the cyber threat landscape continues to evolve, attacks aimed at organizations are increasing. Half the security professionals responding to ISACA’s 2018 State of Cybersecurity Study said their organizations had seen an increase in cyber attacks during the preceding twelve months.
Indeed, given the rate at which many organizations are implementing new technology, as well as the number of mobile devices flooding the enterprise’s network, the risks will likely continue to increase. Yet, only about half of internal audit leaders conduct cyber risk assessments, according to Deloitte’s 2018 Global Chief Audit Executive research survey. Those that aren’t performing the assessments may be hampered by limited budgets and/or skills.
Internal audit can help protect the business by regularly conducting cyber risk assessments. The following brief steps are a starting point for approaching cybersecurity challenges.:
1. Start With the Business Context
If the cybersecurity assessment isn’t conducted within the context in which the organization operates, it’s likely to highlight gaps that may or may not be a priority for the organization, says Sunny Aziz, Deloitte principal in Deloitte & Touche LLP’s cyber risk services. No organization can protect against every risk; by considering the business context, you’re more likely to focus on risks most relevant to the business.
2. Ask to Get Involved Early in IT Project Lifecycles
Slightly more than one-third of respondents to another ISACA report, The Future of IT Audit, said auditors at their organizations typically get involved in technology projects at the planning stage.
That’s a sound starting point but leaves room for improvement. By partnering with business units from the time they begin defining the project requirements, internal audit can provide expertise before decisions are made that are expensive and difficult to undo, says R.V. Raghu, ISACA board member and director of Versatilist Consulting India Pvt. Ltd.
3. Assess All Devices on the Network Cybersecurity Systems
Cybersecurity encompasses any system connected to the internet, says Jason Claycomb, principal, Inarma LLC. This includes the obvious tools, like computers and servers, as well as elevators, copiers, and HVAC systems. It’s been widely reported that the hackers behind the 2013 data breach at Target accessed the retailer’s IT network through the HVAC system. Internal audit should work with security and IT to ensure they’re identifying all network devices.
Once you’ve identified each system and device, determine the risk they pose. For instance, which contain data that could be used maliciously? Even if they don’t store sensitive data, check the systems to which they connect and the data those systems contain, as hackers may try to exploit the connection between the systems.
Ask for a “network diagram,” as this will help provide an understanding of the IT environment, Claycomb says. You can gain a clearer picture of the risks posed by the various tools and systems that make up the IT network and determine how to prioritize them.
4. Recognize the Specialized Nature of Cybersecurity
Cybersecurity has become a specialized field, says Mary Siero, president of IIT Consulting in Lexington, North Carolina. Even qualified IT professionals may lack the expertise needed to ensure a robust cybersecurity environment.
One way to evaluate the skill sets of your organization’s IT professionals’ is by their certifications. One of the most widely recognized is the Certified Information Systems Security Professional (CISSP), Siero says. Another is ISACA’s Certified Information Security Manager. Internal audit also can ask about the type of training, and its frequency, the IT staff has had.
5. Ask About the Cybersecurity Framework
A cybersecurity framework, like that developed by NIST, provides a structured approach to the steps that need to be taken to protect information infrastructure, Raghu says. By following the framework, organizations are less likely to overlook a risk, such as the vulnerabilities vendors can present.
If your organization has adopted the NIST framework, you can take steps to determine whether it’s actually following it. For instance, one is checking whether the organization has categorized the systems and information processed, stored, or transmitted, based on a risk analysis.
6. Focus on Operations
While technical tools, like antivirus solutions, play a role in any cybersecurity program, operations and policies are critical. “Good operations equal good security,” Siero says. This includes robust programs for patch and change management, as well as cybersecurity awareness training for all employees.
Role-based access to systems is another fundamental concept. Internal audit can work with the business unit and/or IT to check whether employees have only the access they require to do their jobs, and no more. The IT organization also should have developed an incident response plan that lays out how incidents are detected and resolved, and what role each employee plays in responding to them.
7. Check for Both Preventive and Detective Tools
The focus in cybersecurity historically has been on protection and preventive controls, like firewalls. While these remain important, it’s impossible to prevent everything. That’s why detection tools are critical. The sooner an incident is detected, the less costly it is for an organization.
This often means tools that monitor the IT environment and issue alerts when something out of the ordinary happens. Internal audit should ask for a list of security and monitoring tools in use, and then work with the information security department to identify how the organization is using them, Siero says.
8. Assess Security Awareness Training
Given how adept bad actors have become at creating emails and other communications that appear legitimate but contain viruses or malware, training is critical.
“People can be the weakest or strongest link,” in cybersecurity, Raghu says.
During an audit, you’ll want to check that a procedure is in place the requires all employees to receive cybersecurity instruction before they can access the organization’s systems, and then on an ongoing, regular basis. When purchasing new software, the organization should add a budget for training. Users that aren’t adequately trained may bypass or defeat some control, even inadvertently, potentially exposing the organization to risk, Raghu says.
One way to audit for user training is to conduct regular phishing tests, Siero says. Employees who click on the test email receive a warning and information on phishing scams. With frequent testing, the number of people who fall for the phishing emails should decline over time.
9. Review the IT Governance Structure
Robust IT governance encompasses structures, like an IT steering committee; decision-making processes; and policies and standards, Siero says. For instance, can the business units purchase their own software without input from IT? If so, that can increase security risks.
At the same time, IT should have in place standards that guide its purchases. These might state, for instance, that the systems purchased need to assist business processes and add value to the organization. In other words, employees can’t just buy something because they want it.
Given the proliferation of cybersecurity risks, organizations need to integrate assessments of their cybersecurity profiles within their business strategy. This will help them determine how to best focus resources and stay on top of changing threats.