Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Cybersecurity in Turbulent Times

As the pandemic wears on, the risk of a cyberattack is not often the focus of organizations struggling to adapt.

Zach Raizen
Director, Risk Consulting

Kapish Vanvaria
Americas Risk Market Leader

Comments Views

​What have been the short-term implications of the pandemic on organizations' cybersecurity efforts?

Raizen The short-term implications have been tied to whether their current focus was on protecting the external boundary, or if they were previously configured to leverage a hybrid environment with many remote workers already. Those that had infrastructure and practices in place already to support remote work, mostly added licenses for the additional software. Those that did not, operated in a scramble to support continuation of work, often without a focus on security during the process. Attackers recognized this and were quick to target users with pandemic-related phishing campaigns and attacks focused on VPNs or other remote technologies. In some cases, organizations leveraged less secure solutions — those with lower levels or no encryption, external services without multifactor authentication (MFA), etc. — creating opportunities for attackers and added confusion caused by rapid changes.

Vanvaria Over the last year, organizations have had to transform at an accelerated speed that would have been thought impossible just a short time ago. However, many organizations did not involve risk management functions or cybersecurity in the decision-making process, not necessarily due to oversight but rather the urgency of the need to adapt for survival. As a result, these organizations need to address the risks and potential vulnerabilities that were introduced during their transformation efforts at the height of the pandemic while also ensuring cybersecurity resilience for the next major event. 

What will likely be the long-term effects?

Vanvaria My colleague Elizabeth Butwin Mann, EY Americas cybersecurity consulting leader, provides a broader look for the longer term of how cybersecurity is a business issue rather than a technology issue. She says the past has always been about cybersecurity as a back-office function, buried in an IT back office, and now it is time to take a look at cybersecurity embedded into business priorities: cyber for supply chain, cyber for manufacturing, cyber for the customer and employee experience, etc. 

Raizen The longer-term effects will be increased spending on cybersecurity — especially related to the purchase of additional security tools and automation of processes. While many will focus on the technology, there has also been a lot of emphasis on building good processes and on the value of having and testing a response plan. Recent data has shown that in the U.S. National Institute of Standards and Technology Cybersecurity Framework, organizations focus heavily on the Protect domain, but not much on the Respond and Recover domains, although these can be critical, as no security is foolproof. With the increasing volume of threats, automation will be key to sort through the data and respond effectively, which will increase the focus on data quality and validating models used for tuning these tools.

With employees returning to offices, how might attitudes toward cybersecurity change?

Raizen I don't think employees' attitudes will change drastically. However, there is an increased awareness of cybersecurity threats among the general population because of the proliferation of these attacks and news stories about them. This mostly helps people become less resistant to additional security controls — when they are reasonable. With security, we always need to keep in mind the balance of security with usability when working with users, as low usability often creates a situation where users will circumvent better security controls. Fortunately, people have become very accustomed to some great controls, such as MFA, and the better we can continue to make similar experiences a standard thing, the more people will adopt them. I know there is a lot of work — including recent efforts from Microsoft to move to a password-less approach, and I think that is a great direction.

Vanvaria Remote working has been a particular issue, and incidents of phishing and other threats are on the rise. Larger corporations have been able to ride out the storm more comfortably given the access to capital to manage risk, especially those with integrated risk management functions throughout the first, second, and third lines. Employees will have a greater appreciation for the protection the enterprise network provides; however, employers will have to continue to invest in awareness and enhanced training and provide better hardened equipment to end users. 

Will it be easier or more difficult to manage cybersecurity post pandemic?

Vanvaria The hybrid world and new ways of working will definitely create another layer of complexity. The EY 2021 Global Information Security Survey, which surveyed more than 1,000 cybersecurity leaders at organizations worldwide, found that 56% say that businesses have sidestepped cyber processes to facilitate new requirements around remote or flexible working. At the same time, cyber leaders say they have never been as concerned as they are now about their ability to manage the cyber threat (43%), with 77% warning that they have seen an increase in the number of disruptive attacks, such as ransomware, over the last 12 months — up from 59% in the previous year's survey.

Raizen I don't look at it as easier or more difficult. A few things have happened, including a shifting of risks, and exposure of some underlying issues that have been raised because of that. For example, traditional network boundaries have changed drastically, and concepts such as zero trust, along with the importance of using strong passwords and MFA, and the implementation of endpoint detection and response systems to detect and stop attacks, can be critical. So just like the risks, the effort is similar, but it has shifted to different activities, such as building in automation, or deploying additional training. It will be important to make sure people are continuing to apply basic security to new technologies and solutions as they are introduced.

What can internal auditors do to help organizations address cybersecurity as employees return to work?

Raizen It is important to continue to focus on managing risk, and not jump to the latest threat whether it is directly relevant or not. I still see many organizations failing to tackle the basic security controls effectively, while trying to put more advanced things in place. This can leave significant exposure, and cost a lot of time and money in the interim. It is important to focus on having good, formal processes in place, leveraging a standard framework to help ensure completeness and to track maturity, and then to add in tools and automation to support as needed. Internal auditors should focus on the process side, and ensure that basic controls are highly effective before reviewing more advanced system configurations.

Vanvaria The pandemic has accelerated the global megatrends, forcing organizations to move toward flexible audit planning. The aim is to shape the internal audit function to meet the future and post-pandemic world demands. Disruptive market conditions, cyberattacks, and digitalization are here to stay and bring along new, even more sophisticated risks, to which companies need to respond to find long-term success. My advice to many chief audit executives is to be agile and flexible in their approach, aligning to their organizations' continuous and emerging enterprise risk management outputs, strategic direction, and priorities. Audit professionals will be able to apply more judgment in their work and focus their attention on new risks and outcomes, in addition to processes and controls. They will also be able to use a variety of dynamic outputs, on a more real-time basis, and go beyond root-cause analysis to provide best practices, sector trends, and relevant benchmarks to meet the needs of stakeholders.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Ia Online StaffIa Online Staff<p>Written by <em>Internal Auditor </em>magazine staff.</p>


Comment on this article

comments powered by Disqus
  • AuditBoard-January-2022-Premium-1
  • CIA-January-2022-Premium-2
  • 2022-GAM-January-2022-Premium-3



Stopwatch Auditing Auditing
Thanks, We Already Know That, We Already Know That
Remember the 98 Account the 98 Account
Hidden Goals Goals