Tools for the job: Fortify your defences against cyber threats
In today’s digital landscape, organisations face ever-evolving cyber threats, from ransomware to phishing scams and everything in between. However, the evolution of internal audit practices creates new resilience against such threats. Meticulous risk assessment and proactive monitoring can help internal auditors to act as guardians against all types of cyber adversaries from ransomware to phishing scams, business email compromise (BEC) attacks and brand impersonation.
Internal audit as a shield
Internal audit has always had a pivotal role in mitigating cyber risks and safeguarding organisational assets. However, recent developments in internal auditing processes have taken its role beyond traditional risk-assessment methods. Internal audit teams can now use innovative technologies and methodologies to adapt rapidly to the changing cyber threat landscape.
Key recommendations for internal audit teams:
Monitor continuously. Continuous monitoring practices enable teams to detect and respond to cyber threats in real-time. This involves leveraging automated tools and analytics to monitor network activity, detect anomalies and identify potential security breaches promptly.
Develop cyber security skills. As cyber threats become increasingly sophisticated, internal audit teams must continually enhance their cyber security skills and knowledge. Training and professional development opportunities for audit staff are essential if they are to stay abreast of emerging threats and best practices in cyber security.
Integrate data analytics. Integrating data analytics capabilities into audit processes enables teams to enhance risk assessment and detection of suspicious activities. By analysing large volumes of data, internal auditors can identify patterns, trends and anomalies indicative of cyber threats more effectively.
Collaborate with IT and security teams. Fostering collaboration with information technology and security teams helps internal audit to gain insights into the organisation’s IT infrastructure, security controls and vulnerabilities.
By working closely with IT and security professionals, internal auditors can better understand the organisation’s risk profile and tailor their audit procedures accordingly.
Ethical artificial intelligence
A solid understanding of ethics and a robust corporate culture play a crucial role in protecting organisations against cyber threats. Internal audit can help management to monitor the existing organisational culture, support cultural interventions and establish whether employees at all levels understand the behaviour expected of them – both in terms of cyber security precautions and ethical behaviour more generally. This supports good decision-making throughout the organisation and underpins stronger awareness of governance and controls.
Artificial intelligence (AI) adds a new layer to this. As more organisations rely on AI systems for decision-making and automation, it’s essential to ensure that these are transparent, accountable and free from biases. Internal auditors can help organisations to implement ethical AI practices by conducting audits of AI algorithms and ensuring compliance with regulatory requirements. It helps if they are involved in AI initiatives from the beginning, so they can advise on risks and suggest solutions.
Components of enterprise cyber preparedness
Forewarned is forearmed, and when it comes to cyber threats, preparation is key. That’s why it’s essential to lay the groundwork for enterprise cyber preparedness, from governance and strategy to incident response and employee training.
Governance and strategy provide the foundation for effective cyber security management, so internal audit should be involved to offer support and advice, and to ensure the internal auditors fully understand how the organisation intends to manage its cyber risks. Organisations must establish clear policies, procedures and accountability structures. It’s important to define roles and responsibilities and set strategic objectives aligned with business goals.
Risk assessment is critical. Organisations that identify and prioritise cyber risks can allocate resources more effectively and implement targeted risk mitigation measures. This involves conducting regular risk assessments, evaluating the likelihood and potential impact of cyber threats, and developing risk-mitigation strategies tailored to the organisation’s specific needs.
Incident response is equally important. Despite best efforts to prevent breaches, incidents will occur, and organisations must be able to respond swiftly and effectively. Internal audit can help management to establish a formal incident response plan and ensure they have designated response teams and conduct regular training exercises. By implementing proactive measures such as threat intelligence monitoring and incident detection systems, organisations can detect and respond to cyber threats more effectively, minimising the impact on business operations and reputation.
Employee awareness and training play a crucial role in creating a culture of cyber security. Human error is still a common cause of cyber incidents, so it is essential to educate employees about cyber threats and best practices. Internal audit should ensure that its own team and the rest of the organisation attend regular training programmes on phishing awareness, password security and safe internet usage, and that management runs regular security awareness campaigns to reinforce key messages and promote a culture of vigilance.
Learn from the frontline
It’s never easy to find examples of where internal audit has prevented a cyber security incident – organisations don’t publicise “near misses” or what might have happened. However, successful cyber attacks often provide lessons in how effective audit practices can mitigate or prevent breaches. We don’t know what the internal audit teams in these organisations had done before the attacks, but we can see – with hindsight – what might have helped then and could prevent similar problems in future.
In the automotive industry, the 2023 Tesla data breach is a good example. Impacting over 75,000 individuals, this breach was uncovered as an “inside job”, orchestrated by two former employees who leaked confidential information to the media. The compromised data included reports on self-acceleration and brake-function issues, crash reports and safety concerns related to Tesla’s driver-assistance system. Comprehensive employee training, stringent access controls, regular audits of both practices and culture and the implementation of whistleblower policies could have detected unauthorised access and identified risky behaviour or employee discontent.
In the financial services sector, the Equifax data breach of March 2017 resulted from attackers exploiting vulnerabilities in the company’s IT systems. This breach affected nearly 150 million people and compromised sensitive personal data. External attacks are very difficult to prevent entirely, but an internal audit team that focuses on robust cyber security measures, data-management practices and internal controls, including comprehensive data-protection strategies, can help to make access harder and, if hackers do get in, help to ensure they are spotted quickly and management moves fast to mitigate the damage and notify the correct bodies.
Elsewhere, Mailchimp, which offers email marketing services, has encountered multiple data breaches following social engineering attacks on its employees. These breaches resulted in compromised user accounts and the exposure of customer data. Internal audit can monitor whether employees are adequately trained in cyber security best practices, whether the organisation has implemented two-factor authentication and whether it has effective identity-management practices. Again, there should also be policies and systems in place to detect and mitigate vulnerabilities before they are exploited – and to detect and remedy breaches rapidly if they happen.
Technology is evolving fast – and so are the risks. Internal audit needs to evolve both its practices and its use of technology just as rapidly to help prevent future cyber breaches. It is not enough to understand the risks that exist now, internal auditors must embrace the opportunities created by AI, data analytics and machine learning to become more proactive at identifying potential vulnerabilities and predicting emerging threats. The internal audit team that spots the risks of tomorrow is the one that can best advise management today and ensure the organisation is in the optimum position to deal with attacks when (not if) they happen.
Ricardo Gameroff is Managing Partner at Kreston BA Argentina and Global Audit Business Director at international accountancy network Kreston Global.
Further information
The Chartered IIA website holds technical guidance on cyber security and a technical report on “Embracing Data Analytics”.
The Chartered IIA’s Data Analytics Working Group offers support and advice.
The institute also offers training courses on Data Analytics for Auditors.
This article was published in May 2024.