By now nearly every chief audit executive (CAE) has heard of the wave of cyberattacks that rolled out across the globe
over the last week. While there is no certainty that we currently know all the details about what allowed this attack to be so successful — or the scope of its impact — there are some key concepts for CAEs to keep in mind and action steps they can take in the near future to help their organizations address this type of risk.
Cyberthreats are constantly changing and never-ending. What was experienced last week was different than prior significant issues, and will probably be different than future issues. Organizations need to be up-to-date, flexible, and address cyber risk holistically. The next major attack on your organization could very well be something you were not expecting. In addition, the hard reality is the "next" attack has possibly already happened, you just have not found it yet. Cyberthreats are a constant risk requiring you to be looking forward, not in the rearview mirror. It cannot be a checklist topic driven from past experiences.
The primary focus of cyber risk must be its business impact. What is important is the impact of a cyberattack on business processes, reputation, ability to accomplish objectives, etc. Relegating a cyberattack to merely the result of bad operating practices for testing and installing patches misses the critical question — how does the attack impact the business? Any risk assessment and consideration of responses to cyber issues needs to start with an evaluation of how attacks could impact business operations. For those old enough to remember, this is analogous to Y2K. The issue there wasn't computer systems shutting down, but the impact of the ability to conduct critical business activities.
Risk assessment is hard, especially with the type of risks in which cyber falls. Cyber risk can be either high-likelihood low-impact or low-likelihood high-impact — or probably both. The low-impact issues are relatively easily handled by good IT practices. The high-impact but infrequent risks are much more complicated and need much more attention to assess. For example, any new cyberattack typically is high velocity (appears seemingly out of nowhere overnight), highly complex (is not isolated to only one aspect of the business), and can be highly persistent (impact sticks around for longer than anyone wishes). Simple X-Y grids of risk assessment cannot properly consider a risk like cyber. Cyber risk assessment requires IT knowledge, but, as important, also requires strong understanding of the business, its activities, and its objectives. In short — it requires business acumen.
Cyber risks involve more than protecting the "crown jewels." Many who look at cyber risk primarily focus their efforts on making sure the organization's crown jewels are protected. These are the portion of electronic data that have the most value to the organization. While you may have protected the crown jewels, many critical, routine operations may be supported by systems that have very inadequate protection.
Cyber risk is not an "IT thing." Cyber risk is primarily a business risk magnified, modified, and mystified by being supported by IT systems. If the primary drivers on cyber risks and responses are only IT personnel, there is a high risk the approach will be unnecessarily limited and incomplete.
Never forget the "human element." While this attack does not seem to have been primarily driven by an employee opening a phishing email, data suggests this is the source of a large number of successful cyberattacks. Training employees, communicating with them, testing them with "fake" phishing emails, training them some more, and communicating with them some more, are all part of the never-ending process to help employees understand their critical role in preventing an external hack.
So what should a CAE do today? Management and boards are invariably buzzing about the recent wave of attacks and trying to understand their exposure to this risk. The IIA's Audit Executive Center suggests CAEs do the following:
- Carefully evaluate the critical operational activities of your organizations and identify the supporting electronic infrastructure to ensure the scope of your organization’s cyber risk assessment is adequate. Do not start from a list of systems or the protections currently in place. Start from critical business activities and reach back into the supporting infrastructure.
- Reevaluate the robustness of the risk assessment for cyber risks. Ensure this risk assessment considers all the inherent complexities and nuances of cyber risks and is not relegated to a simplistic form of risk assessment used for less difficult risks.
- Review business continuity plans under all the various scenarios that can occur from cyberattacks — denial of service, ransomware, loss of proprietary data, etc. Ensure the plans cover all these scenarios and address how the business will keep operating, not just whether the crown jewels are protected.
- Consider initiating ethical hack routines to seek out vulnerabilities that could be exploited by a cyberattack. With the pace of change in technology, this should be an ongoing effort, not one only done periodically when an issue arises.
- Review basic IT operations around patch management. This should not be a new idea, but given current events, it would probably be a good idea to accelerate timing of this on your audit plan.
- Review programs and efforts to keep employees well-trained and informed of their critical role in preventing cyberattacks from being successful.
This article originally appeared on the
Audit Executive Center's website.