It's in the news again.
A new ransomware attack (Petya) that spans the globe was not promptly detected or prevented by corporate defenses. It's headline news everywhere.
Plus, all indications are that our ability to address the mounting threats is insufficient. Have a look at this survey, Majority of Organisations Are in the Dark Regarding Daily Network Attacks.
So what should the board, top management, risk practitioners, and internal auditors do?
Some consultants and advisors are diving into the weeds. I put a recent piece by a marketing manager at Protiviti in that category. Her blog post "What Is Internal Audit's Role in Cyber Security?" is not particularly useful.
Frankly, I don't find The IIA's Global Technology Guide (GTAG) Assessing Cybersecurity Risk, particularly helpful either.
Board members, executives, and practitioners need to take a breath and step back.
Look at the big picture, not the weeds.
Ask yourselves these questions:
- We are being attacked constantly. What would happen if and when there is a breach of our defenses and we are held to ransom? What would the consequences be? How would our corporate objectives be affected by an inability to use the systems until the threat is removed, probably by paying the ransom? Do we have a response plan and process in place to act quickly enough?
- What if the breach led to a longer period of disruption? How would that affect our business and our ability to achieve our strategic objectives? How confident are we in our ability to respond and bring our systems back quickly?
- On the other hand, what if the hackers wanted to steal confidential information, our intellectual property, or information they could use to attack our partners and customers? How confident are we that we would be able to prevent or detect a breach by such hackers, know what they have taken, and then respond to mitigate any damage? How would our business be affected? What strategic objectives might fail?
Then ask how much you would be willing to pay to prevent any of the above. Is it more than currently dedicated? Would committing additional funds and resources reduce the risk sufficiently?
I am not persuaded that any but a few massive organizations can afford all the resources, including tools, to satisfactorily address the risk.
I would ask whether it would make more sense to use a cybersecurity service provider. They have the specialists with current knowledge and the tools necessary.
But first you have to know how the business would be affected — the effect of one or more cyber breaches on the business.
Risk and audit professionals should be paying attention to cyber risk.
- Does the organization have a good handle on the organization's cyber-related business risk, as discussed above?
- Does leadership, from the CEO down to and including the information security team, have confidence that there is an acceptable level of prevention and detection, that the risk they are taking is acceptable?
- Is the information security team sufficiently resourced, in their opinion? If not, why do they believe there are gaps and why has management not provided additional funding? Is it because the practitioners and executives have a different view of cyber risk; is it because resources need to be allocated to more important areas — and that is appropriate? Can the risk or audit practitioner help bridge the gap in understanding between management and the information security team?
Only after addressing these questions and related issues would I dive into assessing individual or groups of weeds — the detail.
Understand the big picture and the level of cyber-related business risk before assessing individual vulnerabilities, defense, detection, and response mechanisms
Do you agree?
I welcome your views.
Please join the conversation by clicking on the Subscribe button.