© Maksim Koval/ISTOCK/THINKSTOCK
According to a report by the Institute of Internal Auditors Research Foundation, cyber preparation at most organizations follows a classic bell curve. Asked, for instance, how prepared their organizations would be to respond to a cyber attack, 29 percent of respondents said "extremely" or "very," 44 percent said "moderately", and 23 percent said "slightly" or an ominous "not at all."
As organizations increase spending on tech tools to address cyber risks, internal auditors are advocating an holistic approach that includes policies, response planning and board involvement to develop a broader view of an organization's cyber risks and defenses.
Helped by their understanding of organization controls and risk management, internal audit can bring various functions together and help them address cyber threats more effectively, the study says.
"Boards and audit committees also must ... be kept up-to-date on technologies that not only can help meet business objectives, but also may make an organization more vulnerable to attack. When properly resourced and supported, internal audit will develop the skills and perspective to provide review and assurance services in this area," the study says.
Key Components
The report identifies five key components to cyber risk management and says internal audit can play a key role in supporting each element:
- Protection: Internal audit can help organizations test security controls related to bring-your-own-device (BYOD) policies, review third-party contracts for compliance with security protocols, and perform IT governance assurance services.
- Detection: IIA's 2015 Global Internal Audit Common Body of Knowledge (CBOK) study found that five in 10 respondents use data mining and data analytics for risk and control monitoring, as well as fraud identification. The cyber preparedness study says audit executives should partner with IT and information security pros to develop and monitor key risk indicators and validate security-related controls.
- Business Continuity: Just as they plan for natural disasters or other corporate crises, organizations have to develop plans to serve customers and other stakeholders during cyber attacks. Internal audit can help provide enterprise-wide perspective and provide assurance about the expected effectiveness of response plans.
- Crisis Communications: Similar to response plans, it's important to keep customers, shareholders, regulators and other interested parties informed during (and immediately after) a cyber breach.
- Continuous Improvement: If an organization experiences a cyber attack, internal audit can play a valuable role in helping the organization assess the effects and outline strategies and protocols to defend against the next attack.
The study also suggests corporate boards increase their ability to assess and defend against cyber risks. This may involve recruiting board and committee members with cyber-related experience or expertise, or bringing in third-party security experts to educate board members about evolving cyber threats and governance practices.