In the modern risk era, any number of events can accelerate the speed of risks developing or increase the likelihood of their impact on organizations. This can be as diverse as rampant wildfires in Australia to an outbreak of the deadly Ebola virus in West Africa.
For U.S. organizations this month, a lethal strike against an Iranian military target has raised concerns about retaliatory attacks, which the National Terrorism Advisory System (NTAS) advises could come with “little or no warning.” Such attacks are not limited to traditional tactics. They are just as likely to come in the form of cyber terrorism. Indeed, the NTAS warning acknowledges as much, asserting that Iran has been implicated in previous attacks aimed at the U.S. and has the capability to carry out cyberattacks on critical U.S. infrastructure.
For internal auditors, the NTAS warning should spur quick action to assess or reassess their organizations’ cybersecurity posture. This is not just limited to U.S.-based auditors, as many U.S. companies have operations around the world that could be targets.
Organizations today are highly dependent on communications and other systems that rely on cyber networks. Attacks that compromise those networks can be more than just disruptive; they can be devastating. As the world has embraced the ease of connectivity in everything from home-based security to the operation of massive electrical power systems, it also has grown increasingly vulnerable to cyberattacks that could disrupt or even cripple whole economies.
Business Insider published an article last year that laid out just how such attacks could happen. It examined troubling and sobering scenarios that depict just how a coordinated and multipronged attack could take down fundamental systems upon which business and commerce rely. It accurately compared the fallout from such an attack to a major natural disaster in which power, water, and transportation systems are shut down, and modern business grinds to a halt.
Some might scoff at the likelihood of such a doomsday scenario, but that likelihood increases every day as the world becomes increasingly dependent on interconnected and highly automated systems. This is why protecting public infrastructure from cyber and physical attacks is vital.
The IIA published a Global Knowledge Brief for members only last year that addresses internal audit’s role in improving critical infrastructure resilience. Strategic Public Asset Protection looks at internal audit’s role within public sector entities that are responsible for response and recovery to natural or manmade threats to strategic public assets, such power grids or water systems. It also addresses auditing the adequacy and operating effectiveness of controls over preparedness across agencies and between levels of government.
Protiviti provided another resource last week when it published a flash report that presents a concise and useful outline for conducting an organizational cybersecurity assessment. The nine-point review covers basic but fundamental steps to evaluating how well an organization protects against, detects, and manages cyberattacks. While I won’t repeat the details of the report here, I can share the nine steps:
- Enhance security awareness.
- Identify the most critical systems.
- Implement mitigating controls to protect those critical technologies.
- Evaluate all access into systems and networks.
- Increase the sophistication of protection and detection strategies.
- Seek and share the latest cyberthreat information.
- Refresh the risk assessment process as it relates to cyberthreats more than once a year.
- Ensure the organization has a sound, up-to-date incident response plan.
- Ensure cyber defenses are adequately funded and staffed to manage the evolving risks and threats.
It is easy to dismiss the likelihood of a massive and crippling cyberattack as far-fetched or just another Black Swan. However, Black Swans — by definition events with low probability and high impact — have a way of showing up from time to time. Being prepared for them, especially when the stakes are so high, is imperative.
As always, I look forward to your comments.