4 ways boards can deliver better cyber security through internal audit
The global WannaCry ransomware attack has put cyber security under the media spotlight again this month, with many organisations having to sift through the wreckage and work out what went wrong.
In 2015, a Deloitte report claimed that high-profile incidents have emphasised the importance of all elements of the three lines of defence understanding cyber threats – and internal audit is no exception.
Since then, the issue has only become more crucial, as cyber criminals show increasing sophistication in their methods of attack and abilities to exploit weaknesses in IT systems, particularly outdated networks.
But how can internal audit strengthen cyber security preparedness? The Chartered Institute of Internal Auditors (IIA) has published a new board briefing that outlines key ways in which senior executives can encourage auditors to take a more proactive role in cyber security strategies.
1. Be aware of upcoming regulations
The General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) Directive are two pieces of key regulation that the EU has implemented and UK organisations will need to comply with by 2018.
While the UK is leaving the union, the country’s government has confirmed that any existing EU laws will be kept in place until British legislators can overturn them.
Put simply, the GDPR and the NIS Directive will both place increasing scrutiny on businesses to manage cyber security risks to their data and systems, respectively. Boards must ensure the internal audit department has a clear and formal mandate for incorporating these regulations into checks and balances.
2. Embed a strong cyber security culture
Boards should ensure the company’s culture encourages best practice around cyber security issues, which should be underpinned by regular training and education to prevent careless mistakes from becoming big problems.
Specifically, it’s crucial that cyber security knowledge runs deeper than just surface-level understanding; any training carried out must be reflected in employee behaviour and the wider culture.
“Internal audit can play a significant role in this organisational response by providing assurance over cyber risk awareness and whether the overarching cyber strategy is reflected in employee behaviour and effective controls,” the report said.
3. Set a proactive (rather than reactive) strategy
Many organisations are guilty of only updating systems and strategies to deal with cyber attacks once they’ve occurred. The average cost of a breach in 2017 was £19,600 for a large organisation, according to a government report, making it an expensive lesson for businesses that aren’t adequately prepared.
Boards and senior managers must therefore have a comprehensive understanding of potential cyber risks, as well as confidence in management teams to have performed appropriate threat assessments.
Internal audit’s role will be to provide essential feedback on how effective a board’s proactive policies have been and whether there are areas for improvement. Chief audit executives must work closely with board and audit committees so that cyber plans are well aligned with the organisation’s risk appetite.
4. Invest in the right skills and experience
Technology is a rapidly evolving industry, and cyber security must be equally fast-paced to prevent breaches. This requires high-end skills and experience not only in security and resilience teams but also in the internal audit departments.
“The function should also routinely engage with internal and external subject matter experts to understand the changing nature of the threat and, in most cases, co-source expertise to run comprehensive cyber audits,” the IIA stated.
Figures from Barclay Simpson showed earlier this year that less than half of internal audit departments feel they are adequately resourced to meet the demands placed upon them. Nearly three quarters are finding it difficult to recruit the right candidates to fill available positions.
Would you like to know more? Please get in touch with one of our internal audit recruitment consultants.
Our 2017 Market Report combines our review of the prevailing conditions in the internal audit recruitment market together with the results of our latest employer survey.
Image: NicoElNino via iStock