The average cost of a data breach is $3.86 million, according to a 2020 global IBM study. Moreover, breaches caused by malicious attacks are the most common — and the most expensive. October is Cybersecurity Awareness Month. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasizes personal accountability in this year's theme: "#DoYourPart. #BeCyberSmart." CISA provides links to specific resources for the month, including tip sheets and a ready-made presentation (PDF), as well as a Cyber Resource Hub featuring myriad assessments, tests, and evaluation tools.
Internal Auditor's four-week cybersecurity series, with five questions to consider each week and a list of suggested resources, seeks to encourage practitioners to help organizations strengthen their defenses against malware, social engineering, physical cyberattacks, and other vulnerabilities. Certainly, COVID-19 has made cybersecurity more relevant than ever to organizational governance, as digital and cloud-based technologies facilitate employees' ability to work remotely; while internal and external security operations centers remotely monitor, assess, and respond to vulnerabilities and threats. Internal audit leaders have augmented their audit plans to specifically consider activities for business continuity, incident management, updated risk assessments, changes in risk management approaches due to changes in the organization's risk appetite and profile, and the remote provision of independent assurance. Cybersecurity is integral to all of these activities, and getting it right is essential to organizational well-being and success.
Week 4: Questions for the Chief Information Security Officer
The recent ransomware attack on Universal Health Services, one of the largest healthcare providers in the United States, illustrates the increasing cybersecurity risks faced by organizations, especially in the middle of the COVID-19 pandemic. The attack crippled operations at the company's facilities, reportedly forcing some hospitals to fall back to pen-and-paper recordkeeping, although the company said no patient or employee information appears to have been accessed.
In reflecting on their own organization's vulnerabilities to cyberattack, here are five questions that chief audit executives should be asking their chief information security officer to consider. The questions cover various aspects of cybersecurity such as controls, policies, alignment among roadmaps, and testing. Answers can provide a starting point in an organization for discussions about the cybersecurity risks and areas that need to be addressed.
Meanwhile, as Cybersecurity Awareness Month continues, follow @CISAgov and @StaySafeOnline to learn more and to stay informed. Additional resources are provided below.
- How are you assured that the data protection controls in place are operating effectively and are adequate to meet the expectation of insurers should a claim need to be filed after a cyber-attack?
- How has the organization altered its information and cybersecurity policies and procedures to account for work from home and possibly the use of cloud service providers and additional contractors (or existing contractors now working from home)?
- How do you assure alignment between the information (cyber)security roadmap, product roadmap, and information technology roadmap? What alterations were needed to address the changes required in the past year?
- What directive and technical controls have been implemented or altered to assure network and application acquisition (vendor and contract management) and maintenance (monitoring/scanning, patch management, backups, vulnerability management, firewall and router configuration settings, etc.) activities are still following the current procurement, vendor management, and contract management processes?
- How are file restores and tests of the business continuity plan, disaster recovery plan, and incident response plan and playbooks being handled now, and what have you and your team discovered as a result of those tests?
Week 3: Questions for the Board of Directors
Just as cybersecurity risk stretches far across the organization and can threaten everything from supply chains to worker productivity and third-party relationships, so too must an understanding of cybersecurity stretch from the worker front lines to the very top of leadership — namely, the board of directors. While it is true that the board may not take an active role in cyber-risk management, effective and informed oversight of policies, procedures, and controls from the top is critical to maintaining a stable, productive organization.
Nowhere has this been truer than in the throes of the COVID-19 pandemic that has dominated the 2020 news cycle. As organizations and businesses continue to deploy and refine systems and networks to support staff working from home, cyber criminals are taking advantage of increased security vulnerabilities to steal data, generate profits, and cause organizational disruption. According to the U.S. Federal Bureau of Investigation, its Internet Crime Complain Center now receives between 3,000 and 4,000 cybersecurity complaints per day — a 300% increase since the beginning of the pandemic.
With organizations facing such a stiff challenge, chief audit executives should ensure they are working with the board to remain ever vigilant of cybersecurity threats and understand the depth of the risk their companies must contend with. To help accomplish this task, here are five questions CAEs can ask their boards as they continue to make informed, calculated decisions throughout the pandemic:
- How are you assured that the current enterprise risk profile and IT risk profile accurately reflect the cyber-related risk faced at this stage of the pandemic?
- What additional financial appropriations have been considered to account for required changes to the network infrastructure, including patch management, and to support remote work efforts?
- What briefings have you and your colleagues received by the chief information security officer, the chief data officer, the chief privacy officer, and the chief risk officer in regard to the increased cyber-related threats faced by organizations in 2020 and the internal efforts implemented to offset those threats?
- What collaboration tools and other technologies have been deployed to assist in board-related communication and activities?
- If a cyber-attack happened today, do you feel the organization has adequate reserves and cyber-related insurance coverage to successfully recover from the incident?
Week 2: Questions to Ask on Every Audit
It's no secret that cybercriminals will seek to gain access to an organization through its weak spots. Like a fortified castle on a hill, an organization may consider itself well-protected — but all it takes is one unguarded "back door" to give an intruder an opening.
Internal auditors can help their organizations identify the holes in cybersecurity defenses by asking the right questions and investigating IT maintenance procedures and controls. Just like the addition of a new door or window in a castle, the introduction of a new process, application, or system could make an organization's infrastructure more vulnerable to attack if not protected, patched, and monitored.
And it's not enough to inspect an application or system once and then let it go. Internal audit should conduct due diligence to see what has changed since the last engagement. Likewise, it's important to ascertain who has the "keys" to the castle, in the form of entitlement reviews, and to look for a robust transfer and termination process to ensure access rights are appropriate when someone changes roles or leaves.
Organizations must have a solid strategy in place to win at cybersecurity chess. As part of Cybersecurity Awareness Month, here are five questions internal auditors should ask during every audit engagement:
- What data protections have been implemented for this process/application/system?
- What is the backup and retention schedule for the application/system?
- What is the status of patches, vulnerability remediation, and audit finding remediation for this process/system/application?
- Have any activities related to this process or application/system been implemented since the last review? What has been the security-related impact of any technology or process change since the last audit?
And here are five bonus questions to help internal auditors #BeCyberSmart this month:
- How do you gain assurance the programmers are following secure coding techniques and the organization's software development life cycle?
- How do you gain assurance that appropriate separation of duties (SoD) is maintained for users, bots, and application security roles? How is SoD maintained within automated workflows?
- What types of intrusion detection, intrusion prevention, and data/information leakage prevention rules have been implemented to safeguard data and information assets from inappropriate access?
- How is the system accessed (via single sign-on through a virtual private network, direct to website, etc.)? Who is the administrator? How are his or her activities monitored?
- How is the system monitored? By whom? Who is informed of exceptions? How are they informed and under what circumstances?
Week 1: Questions for the C-suite
A vital element of organizational cybersecurity is assessing and mitigating the risks that could affect critical business processes. Senior management, process owners, the internal audit activity, and the board must consider cyber threats that could cause the interruption or failure of critical businesses processes and their associated infrastructure. This includes assessing whether policies, procedures, and controls are designed adequately and operating effectively to protect the organization's data and information assets — especially with more functions accessing this data and information remotely.
Leaders must consider, for example, whether policies, procedures, and controls have been updated to account for work-from-home environments and monitor the changes in the supply chain, third-party relationships, and other areas of heightened risk. To coordinate coverage and provide independent assurance to the board, internal audit should reflect on these questions with the C-suite:
- What security-related gaps or weaknesses were discovered in this year's assessment of risks related to critical business processes?
- Based on the most recent risk assessment, how were critical business processes adjusted to safeguard data and information assets against cyber threats in work-from-home environments?
- Based on the most recent risk assessment, how were corporate (or department) policies and procedures adjusted to ensure data protection?
- How do you, as the data or process owner, gain assurance that your data or system has adequate controls to prevent, detect, and defend against potential cyberattacks?
- To which cyber threats do you believe your critical processes or data are susceptible, and of those, which are the most likely to affect the organization's data or processes?
These content and training resources can assist practitioners as they look to support organizational cybersecurity efforts.
Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk — Roles of the Three Lines of Defense
Cloud Security, Insider Threats, and Third-Party Risk (PDF)
Rethinking Preparedness: Pandemics and Cybersecurity (PDF)
Internal Audit Foundation
Privacy and Data Protection — Part 1: Internal Audit's Role in Establishing a Resilient Framework
The Future of Cybersecurity in Internal Audit
Internal Auditor Magazine
A Matter of Privacy
Beware the Coronavirus Scams
When the SEC Speaks About Cybersecurity, We'd All Better Listen
Assessing Cybersecurity Risk: Roles of the Three Lines of Defense
Cybersecurity Auditing in an Unsecure World
Fundamentals of IT Auditing
OnDemand Technology Courses
IT General Controls
The IIA Global Cybersecurity Resource Exchange