October 23, 2023
October 23, 2023
Cyber criminals are continually targeting weaknesses in your cyber security stance — and a successful attack could result in significant financial, operational, and reputational damages to your organization.
As the digital landscape continues to transform, internal audit is playing an increasingly important role as the third line of defense to help ensure that organizations are cyber secure. Discover four key areas that internal auditors can focus on to make an impact.
Data has become every organization’s most valuable asset — but is also its most vulnerable. Cyber criminals are continually targeting potential weaknesses in your security stance. The consequences of a successful attack can result in costly or irreparable operational, financial, and reputational damage to your organization.
In previous years, we saw a large consumer financial information business suffer a major data breach, which impacted millions of people and resulted in the resignation of both its CEO and CISO. These breaches often result in legal, legislative, financial, and operational implications for financial institutions and other organizations alike. It is becoming extremely apparent that risk management professionals and internal auditors will need support to face the challenge of managing cyber risks.
Here are four key areas that internal auditors can focus on to make an impact as the third line of defense within an organization after management and information security.
Organizations are increasingly recognizing the need for an independent review of security measures and performances.
“Internal audit is one of the few voices that is purposely positioned to go across the entire organization, and it is able to look at how the different parts work with each other and make sure the right information is getting to the right people.” – Internal Auditor Magazine
Internal audit activity can provide senior management with independent and objective assurance on governance, risk management, and controls pertaining to cyber security. This includes assessing the overall effectiveness of the activities performed by the first and second lines of defense (management and information security, respectively) in managing and mitigating cyber security risks.
Focus areas for internal audit should include the relationship between cyber security and operational risk, prioritizing responses and control activities, and performing audits for cyber security risk mitigation across the organization.
Internal audit can help improve the organization’s security posture by looking to:
When it comes to selecting a cyber security control framework, companies don’t need to reinvent the wheel. Organizations should select a framework that works for them — possibly amalgamating several as one may not fully meet your needs. This is because organizations have differing levels of maturity within their information security program. It is important to adopt a framework which allows an organization to meet some standards but also has room for growth.
Frameworks and compliance standards involving international regulations such as the North American Electric Reliability Corporation (NERC), NIST, ISO 27001, and Payment Card Industry Data Security Standards (PCI DSS) are required to be met in full for an organization to market itself as being compliant. It is often difficult to accomplish this across an entire enterprise network and many security frameworks are not generalized enough to apply to all organizations.
An example of a flexible framework is the Centre for Internet Security’s 18 Critical Security Controls. This framework was originally intended to provide a roadmap for organizations to help protect against cyber attacks. The framework uses 18 different categories, each of which provide increasing levels of controls — from foundational safeguards to advanced security controls and processes. This allows organizations to adopt a framework to a degree which matches their risk appetite.
The following are key questions which internal audit should try to answer to gain an understanding of an organization’s current security posture, risk appetite, and its ability to manage and mitigate any potential cyber threats:
From ransomware to increasingly persuasive phishing schemes, cyber crime is a global issue — and it’s on the rise. Take our interactive self-assessment health check to discover where your organization may be vulnerable to online threats.
An organization’s governance and culture play an important role in managing cyber security risks and influencing cyber resilience. For many boards and regulators, creating a culture of risk management has become an area of emphasis as cyber threats continue to evolve with the digital landscape.
Building cyber resiliency into an organization involves aligning its governance and culture to manage risks and enhance security. This includes creating a governance framework that outlines reporting structures, roles and responsibilities, and accountabilities for cyber security. Organizational culture should align with this governance framework through awareness training, employee behaviours, and active commitment from leadership.
Internal audit can evaluate the alignment of governance and culture through reviewing organizational policies and procedures, assessing employee training programs, and conducting a culture assessment of the organization. This helps to reveal whether the organization’s leadership, structure, policies, and employee behaviours are working together in alignment to create a strong cyber security posture.
For more information, connect with our Cyber Security and Privacy team. Our team will work with you to set a security and privacy baseline, identify your top threats, and define resilience tactics to effectively future-proof your organization.