What is the relationship between IT and internal audit in cybersecurity and preparedness?
IT is essentially the assets that cybersecurity is supposed to be protecting. Internal audit should ensure technical and nontechnical controls are in place and operating effectively. Internal audit personnel must become intimately familiar with cybersecurity and how to test the effectiveness of cyber controls. Too often, internal auditors are not technical enough to assess whether an organization’s cyber controls are adequate to protect the assets they were put in place to protect.
Internal audit’s most valuable role is ensuring cybersecurity functions have the resources necessary to protect the organization effectively. Whether those resources be funding, staffing, or data from the organization’s IT systems, internal audit should be a strong advocate for the cybersecurity function by raising awareness around the organization’s cybersecurity needs. Internal audit assessment results should be a major topic in C-suite briefings to ensure the cybersecurity function receives the support necessary to protect the organization.
How can an organization ensure its employees do not become part of a social engineering attack?
Employees should be trained to identify and avoid becoming a victim of social engineering as part of an effective cyber education and awareness program, where frequent simulation exercises are a core component. The results of these exercises should be communicated across the organization, and C-suite executives should be kept up to speed on how the various areas of the company score on these exercises. Some organizations have begun to factor the results into employee performance reviews. For example, if an employee continuously fails phishing tests, that employee may be subjected to extra training, or his or her yearly performance rating might be impacted. Regardless of the consequences, C-level support is critical to raising awareness of social engineering among employees.