Year on year, cybersecurity has featured prominently on organizations' risk registers. The reasons why are simple enough: Cyber risks are constantly evolving, while the level of harm they are capable of has grown to such an extent that they can pose an existential threat to businesses.
Unfortunately, rapid changes in technological risks are not necessarily being matched with increased IT awareness among executives, potentially fueling an unrealistic (and unjustified) belief that organizations are adequately prepared to meet emerging cyber and IT threats. During The IIA's General Audit Management conference held in March, Nathan Anderson, senior director of internal audit at fast food chain McDonald's, warned that more times than not, management will have an overly confident take on the company's coverage of cybersecurity risks. "That's the kind of reassuring message you often want to give to a board, but in many cases … the level of confidence might be above what is justified," Anderson said.
Now more than ever, internal auditors need to understand and continually stay abreast of cyber threats. They must also understand what those charged with cybersecurity are doing to manage risks, what measures business unit leaders are taking, how well employees are complying with established procedures, and where vulnerabilities may lie in the extended enterprise.
Securing the Supply Chain
The recent hack on U.S. tech firm SolarWinds has shown just how vulnerable companies and their supply chains can be. The cyberattack — believed to have been conducted by Russian hackers and which went undetected for months — spread to the company's clients and allowed the attackers to spy on their activities: a serious problem when the client list includes the elite cybersecurity firm FireEye and the upper echelons of the U.S. government, including the Department of Homeland Security and Treasury Department. The high-profile hack prompted U.S. President Biden to issue an executive order for federal agencies to address supply chain security throughout the life cycle of software procured and used by the government. The message is clear: Software security vulnerabilities in one organization can open doors to others if preventive measures aren't taken.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center in Mountain View, Calif., says over the past year software supply chain attacks have become "one of the most significant cyberthreats" organizations face. As such, he says, internal auditors should be pushing for the risk to be part of their cybersecurity reviews, if it isn't already included. In particular, internal auditors should check how much of an IT application or program is based on open-source software, he says. These are freely downloadable software components that account for the majority of code in commercial applications because they don't cost any money. Unfortunately, Mackey says, these components can easily bypass the normal vetting processes that an IT vendor would use if it were developing its own software, which means vulnerabilities are likely.
The best way to gain assurance, he says, is to attain a full inventory of software assets "to identify if there are any unpatched open source vulnerabilities, but more importantly to also identify if there are missing updates or patches" to keep the organization's IT infrastructure and data safe. Indeed, ineffective patch management policies are often cited as one of the key IT threats to organizations as IT departments either forget to check for patches, or employees ignore calls to download and install them.
Experts agree that third-party IT security flaws pose serious risks to organizations and therefore require a robust preventive response — with internal audit providing strong input. Shawn Chaput, strategy consultant at cybersecurity management and strategy consulting business Privity in Vancouver, British Columbia, says there are several key risks that should be on internal audit's radar, particularly around the use of cloud services and other third-party IT service providers.
Identity and Access Management Chaput says organizations' increasing reliance on identity and access management programs has become the most important risk since cloud computing came to prominence. "As everyone moved to the cloud or started working from home, organizations had to adapt to this new 'zero trust' architecture where identity is the new perimeter," Chaput says. Though unfortunately, he says, these measures often fall short. "Even with authenticating individuals and hardware, phishing and spear-phishing appears to be highly effective in exploiting this decentralization of cybersecurity and granting nefarious actors unauthorized access to company funds or administrative access to cloud infrastructure," Chaput says.
Supplier Management Supplier or third-party management program deficiencies is another key risk area. According to Chaput, with the transition to cloud services, organizations are more reliant on third parties to do the tasks they're supposed to, including handling data security. However, auditors should read the small print first. "The fact that clients may expect a cloud service provider (CSP) to do something and they don't is where due diligence prior to contract signing is important," he says. "The other relevant part of supplier management is the portability of the data you send to the CSP and whether you can actually get it back in some reasonable and useful format. Additionally, there is an increasing possibility that your CSP will be subject to a data breach of some sort — how you handle that needs to be determined well before it happens. The importance of this risk has increased, specifically since the SolarWinds hack."
Chaput says the risk of a service provider having a breach — and what the organization should do if that happens — should also be on every internal auditor's cybersecurity risk agenda. "If you're not expecting to have a breach or for one of your major service providers to have a breach, you haven't been paying attention," Chaput explains. To mitigate the risk, he says, organizations need to consider how they should respond to the incident, how they should communicate the news internally and externally, and whether they need to switch providers immediately.
Data Classification Internal auditors also should question the levels of security their organizations give to certain kinds of data they store in the cloud, Chaput says. "Many of our clients who use cloud service providers say 'we protect all of our data as though it is the highest sensitivity' instead of classifying and labeling the data to allow it to have different levels of security controls," he says. "If you don't classify your data, you're either underprotecting some of your data or overprotecting most of your data — and paying significantly more to the CSP than you need to."
Talent Deficiencies Ultimately, Chaput says, the fact that the cloud encompasses so many different technologies and services lends itself to another difficult risk for organizations to manage — finding and retaining IT staff familiar with constantly evolving technology. "It used to be that you'd hire an individual based on their experience with a specific enterprise resource planning package, like SAP, or with some deep technical knowledge in a vendor platform like Cisco routing and switching," he says. "Now, it's different: You're hiring someone today to use something that may not actually exist yet but will become a dominant feature of your environment in less than a year." Chaput adds that the impact of such skills shortages "has been increasing substantially over the last few years as technology changes accelerate."
Get to Know the Technology Team
The ever-changing nature of cybersecurity threats means that internal audit needs to understand not only technology, but also the people in charge of implementing, overseeing, and using it. "If internal audit is to understand technological risks, it has to understand technology," says Kamal Dua, senior vice president and chief audit executive at U.S. defense, aviation, IT, and biomedical research company Leidos in Reston, Va. Likewise, he says, if the profession is to help mitigate cybersecurity risks, it needs to know how the chief information officer (CIO) and the chief information security officer (CISO) identify and mitigate these challenges and the approach they take to cyber risk management.
"Internal audit needs to talk with and get to know the CIO and the CISO," Dua says. "Internal auditors need to understand how these functions work, and they need to form a deep and trusting relationship with them to provide the appropriate level of assurance to the company that cybersecurity risks are being properly identified, prioritized, and mitigated."
He also says internal audit has a strong role to play in establishing a solid response to cybersecurity risks. Working alongside other assurance functions such as enterprise risk management (ERM) and, in his organization, the cyber counsel, Dua says organizations should establish — and regularly review and update — a cybersecurity risk framework, as well as examine the governance around the organization's IT architecture and cybersecurity risks. Moreover, he says, internal audit should review the cybersecurity policies and standards in place to see if they are appropriately aligned to the corporation's risk tolerance and whether they are understood and circulated internally. After reviewing the organization's risk registers, internal audit also should develop a heat map to see where critical cyber risks may appear, what impact they could have on operations, and how the risks are being mitigated.
"It is important for internal audit to understand the company's ERM program, as well as understand where cybersecurity appears in the organization's risk heat map," Dua says. "You also need to develop a cyber risk assessment plan to assess what actions management is taking to mitigate cybersecurity risks and whether these need to be improved. At times internal audit functions can struggle to do this because they don't have the necessary level of in-house talent."
Dua adds that audit functions often presume IT auditors have the knowledge and skills required to audit cybersecurity, even when those skills are lacking. "It is important for IT auditors to continuously upgrade their skills by obtaining academic qualifications or professional certifications that are focused on identifying and managing cybersecurity risks," he says.
Some believe organizations should adopt a mix of low-tech and high-tech approaches to combat cybersecurity risks. In terms of low-tech, Jane Loginova, CEO of Radar Payments in London, says internal auditors should first focus on the "basics" — namely, ensuring that security policies are enforced internally and across channels and distributed networks, including core and cloud networks. "A lot of risk can be minimized by conducting regular checks and plugging security holes, settling on a unified security framework based on interoperability, centralizing visibility and control, segmenting the network to restrict the fluidity of malware, and deep integration," she says.
In terms of high-tech, she advises organizations to invest in artificial intelligence (AI) capabilities. "Investing in AI-based security systems can significantly reduce digital attacks and spot suspicious activity," she says. "The best ones are integrated with artificial neural networks, which combined with deep-learning models can speed up data analysis and decision-making. The technology also enables the network to nimbly adapt to new information it encounters in the network."
Faults on the Front Line
Still, not all cybersecurity risks are technologically complicated. Indeed, the most often cited cybersecurity threat is from people — usually employees — ignoring protocols or using the technology incorrectly.
Mark Guntrip, senior director, cybersecurity strategy, at cloud security firm Menlo Security in Mountain View, Calif., says one of the biggest cybersecurity challenges is end users circumventing security. "Companies put in place the security policies that they consider necessary to manage risk," he says. "However, if end users perceive policies as impacting their ability to get their job done, it's highly likely that they will attempt to work around the controls — not in a way to try and steal data or with any bad intention, but in fact to help the company, which puts security teams at a disadvantage." To address this problem, Guntrip says organizations should look to implement solutions that are "invisible" to end users. "Security that cannot be seen or felt cannot be circumvented," he says.
Simon Hodgkinson, senior development director at IT security management specialist Reliance acsn in London, says internal audit must push for effective leadership from the top. "It should be clear everyone is accountable for cybersecurity, much like safety, and this should not be viewed as a problem the security team owns alone," he says. "The leadership team should sponsor behavioral awareness campaigns, and the board and executive team should regularly undertake crisis exercising for a cyber event."
Hodgkinson adds that CAEs should work more closely with CISOs to jointly develop the internal audit plan and target resources to areas of the most concern and risk to the company. "Having the CAE and the CISO articulating a consistent and coherent view of the risk to the executive team and audit committee is a powerful way of balancing cyber and operational risk," he says.
Other experts agree that effective cybersecurity requires a strong "human touch." George Finney, chief security officer at Southern Methodist University in Dallas, says forming strong relationships more widely is vital if internal audit is going to play a key role in improving cybersecurity risk management and resilience. "Relationships are our most important currency when it comes to effective change," he says. "Employees are the biggest threat surface in an organization — but they are also the ones on the front lines that are in the best position to understand the business and what controls will work in the real world."
Partnering With Business Units
Finney says it is also important for internal audit to develop relationships with department heads. "While talking to the IT department is obviously a good start, it is also important to talk to other department heads," he says. "What IT risks have they identified and prioritized? What methodologies were used to assess these risks? And are they the same as those that the IT department has identified? If other department heads invite internal audit in to help with project reviews and to test risk controls, it sends a signal throughout the rest of the organization that the audit function is one to call in a crisis — and that is a huge win."
In fact, Finney says one of the cornerstones to any successful cybersecurity risk management policy is to get enterprisewide buy-in. "I don't go out with a checklist and tell people where they are going wrong — I see every meeting/review as an opportunity to plan more effectively and to improve," he says. "It is more important to understand the thinking behind why people have taken the actions and decisions they have. If you approach audits from a positive perspective — rather than from the 'internal policeman' approach — you get fuller engagement."
Finney says that since cybersecurity is such a key risk to every organization, it "should be used as an opportunity by internal audit to push for executive support for initiatives that you know need to happen." And he adds that when internal audit assesses cybersecurity policies and controls in different areas of the organization, it presents an opportunity to build relationships with clients. "We don't want people to be afraid of internal audit: We want them to partner with us and collaborate to improve."
An Ongoing Threat
Cybersecurity risks are here to stay — and they will continue to evolve, constantly calling into question controls and procedures put in place to minimize and mitigate the dangers. Recent high-profile hacks and other IT security disasters should remind internal audit to widen its focus away from just the technology to other equally dangerous aspects of cybersecurity risk, such as policy noncompliance among employees or lack of third-party cyber-resiliency. They should also be a reminder of vulnerabilities that could appear anywhere in the organization and the importance of collaborative effort. Internal audit can help bind together different parts of the enterprise to form a unified front against cyber threats and help keep the organization protected from would-be attackers.