Internal audit and cyber risk

In the past seven months, the chaotic social and business environment resulting from the COVID-19 pandemic has significantly heightened cybersecurity risks for many organizations, with an impact on people, processes and technology.

People
- Significant increase in a remote workforce
- Governance and oversight limitations caused by a remote workforce
- Limited availability of staff
- Limited IT and cybersecurity resources
- Increase in unethical practices driven by insider cyber threats

Processes
- Processes and controls unadjusted for relaxed regulatory changes around information disclosure
- Lack of consistency and alignment between enterprise requirements and new business processes
- Absence of a true end-to-end cybersecurity program, exposing gaps in processes and controls under the weight of the current climate

Technology
- Rapid adoption of new technologies to support a remote workforce without proper protocols and testing
- Lack of technology monitoring controls to prevent data loss
- Interconnected personal and professional devices to support a work-from-home environment
- Outdated and unpatched technology/legacy platforms

As the accompanying box illustrates, cybercriminals are actively exploiting these conditions. Now, more than ever, internal audits should play a key role to protect your business and assets and to improve your cyber resiliency.

Internal audits’ cybersecurity role

Internal audits play a critical role in providing an independent perspective of your cybersecurity program during this period of change and adaptation. It’s clear that changes in IT and cybersecurity practices are here for the long term, so assessing and identifying gaps early in these new processes and controls is crucial.

Start by checking how well your risks are aligned with your cybersecurity program to drive consistent risk and compliance objectives. Evaluate emerging cybersecurity risks defined through the enterprise risk assessment and the factors driving the increase and acceleration of these risks. Then determine if changes in processes and controls are keeping pace. One option to expand the reach of internal audits is to facilitate risk and control self-assessments based on cybersecurity risk factors for selected business units. These self-assessments can then inform where you invest your internal audit resources for deeper-dive cybersecurity audits.

Next, review your operating model against regulatory mandates and frameworks. Understand if your cybersecurity practices are aligned with organizational priorities and applicable regulations. For example, if you are a health care company, is the Health Insurance Portability and Accountability Act adequately addressed in the new remote workforce model? If you are a bank, are your IT compliance practices adequate enough to meet the Federal Financial Institutions Examination Council IT Handbook and Cybersecurity Assessment Tool requirements? Do you have standardized controls around cybersecurity, and is ownership and accountability established through appropriately allocated roles and responsibilities? Is there enough independence across all three lines of defense?

With regulatory requirements and leading frameworks as your baseline, review your technology landscape to assess significant technology changes and the impact of these changes on your cybersecurity risk posture. As existing technologies are expanded or new tools are added (e.g., artificial intelligence efforts or cloud implementations), you should ensure that adequate controls are in place. Identify and prioritize risks associated with any outdated or legacy platforms.

Ensure effective reporting of cybersecurity issues to both management and your board by aligning reporting to a consistent framework based on a comprehensive review of your organization’s cybersecurity risks. Consider using regulatory and leading practice frameworks to baseline and show changes in your organization’s overall cybersecurity health.

Adapt cybersecurity efforts to unique COVID-19 challenges

COVID-19 has likely forced your organization to accelerate new technologies and adopt new processes to enable a remote work environment and otherwise adjust to doing business during a pandemic. Be sure to consider the following in your cybersecurity audits:

The need for increased training on security awareness across your organization. This training should keep employees up to date on emerging cyberthreats by increasing awareness on phishing, remote access security and acceptable use policies. Executives and privileged users should receive training tailored to their unique risk profiles.
Monitoring of increased web activity and the blurring of lines between personal and professional use of your networks and tools. Fraud and insider threat activity is generally on the rise during recessions. Given today’s fluid workplace, it is especially important to track irregular behavior.
Limiting access within your systems to only those tools that staff need to perform assigned responsibilities. Monitor high levels of activity by privileged users and monitor violations of the principle of least privilege.
Address the risks associated with increased use of web-based conferencing tools, such as Zoom and Microsoft Teams, as well as guidelines for the use of interconnected devices, such as Google Home, Alexa and others. Review policies and minimum-security configuration requirements for these tools to ensure they have been strengthened to respond to exponentially increased use.
Manage your data protection and privacy regulation risks. If you are affected by relaxed regulations due to contact tracing requirements, be sure these are appropriately tied into your overall data privacy and data protection program. Additionally, monitor data sharing through cloud-based collaboration platforms.

Audit scope alternatives to consider now

Depending on your organization’s risk profile, you may want to consider alternative audits addressing cybersecurity exposure, including privacy concerns, remote workforce issues and overall cyber resiliency. Consider the following examples:

Find out what you don’t know. The cyberthreat landscape has always been fluid, but during the COVID-19 crises, threats have been emerging at an incredible pace due to companies’ rapid adoption of new processes and technologies. Leverage defined cyber frameworks to re-evaluate your new cybersecurity landscape and learn about new risks and their impact on your organization.
Secure your remote workforce. The unprecedented speed and scope with which most organizations have had to expand their remote workforces requires new monitoring resources to protect data and mitigate insider threats. Review your practices to make sure you are enforcing technology controls for website monitoring, user behavior analytics and insider threat identification. Enhance technological controls such as data loss prevention to stop unintended data leakage.
Improve your cyber resiliency. Make sure your cyber resiliency plans have kept pace with the threat environment. A compromised system can quickly impact your entire corporate network. Your governance, risk and compliance controls must be ready to minimize the impact and speed the repair of any breach. Identify business-critical operations and crown-jewel services and be sure you have appropriate and effective resiliency plans in the event of an interruption.

As you consider changes to your audit scope, be sure to consider the value proposition as well. What benefits will the change provide? What costs might it reduce? Potential benefits include:

Better visibility into your cyber and privacy risk landscapes through tailored assessments
Rapid risk assessments to help you quickly and accurately identify high risk priorities
Safeguarding against data leakage over insecure external networks through data protection solutions
Improving cyber resiliency by increasing automation

Cost reductions are also part of the equation:

Reducing potential audit expenses associated with noncompliance with security and privacy regulations
Managing brand and reputational risk associated with insider threats and data loss
Maximizing throughput through technology monitoring solutions
Reducing the costs stemming from manual operations, duplicated efforts and inconsistent reporting

Rapid risk assessment

By leveraging a defined cyber framework, such as those provided by the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) or the International Organization for Standardization (ISO), you can gain a holistic view of your organization’s risk and maturity posture and develop a strategic roadmap to address maturity gaps. Consider this example:

Phase one - Planning and initiation

Key activities:

Confirm the cyber domains’ in-scope and assessment framework being leveraged (e.g., NIST CSF, ISO 27001/2, etc.,)
Develop a project plan and prepare logistics for the assessment
Conduct kick-off meeting and circulate document request list

Outcomes:

Audit plan and work papers based on assessment framework
Kick-off deck and project plan
Document and evidence request list

Phase two - Program assessment

Key activities:

Interview management and operational stakeholders to understand the control posture
Assess readiness against the framework requirements
Define potential future state design and corresponding gap analysis
Evaluate and measure cyber risk maturity levels based on the results of the current state assessment
Define cybersecurity risks and related vulnerabilities

Outcomes:

Current and desired future state captured in the framework assessment
Ranked cybersecurity risks/vulnerabilities
Current and targeted maturity model

Phase three - Reporting

Key activities:

Evaluate and prioritize remediation plans with key stakeholders based on the risk priorities
Develop a detailed cybersecurity assessment report highlighting gaps, risks, and remediation recommendations
Develop an executive report
Socialize deliverables with key stakeholders and finalize deliverables

Outcomes:

Cyber risk and maturity assessment
Strategic roadmap
Executive and board-level reporting

Of course, the right model will be based on your organization’s specific risks and circumstances. In the end, you must match your audit approach and maturity criteria with your organization’s strategic and operational objectives, risk intelligence and capabilities, as well as your industry regulatory requirements and leading practices. By adapting your internal audit scope, approach and testing methodology in a time when cybersecurity threats are changing and accelerating, your internal audit team can help ensure you’re both protecting and enhancing your organization’s value.

Contacts:

Scott Peyton

Partner, Internal Audit Cybersecurity Practice
Grant Thornton LLP

+1 303 813 3971

Vikrant Rai

Managing Director, Internal Audit Cybersecurity Practice
Grant Thornton LLP

+1 212 624 5212

Asset management

Why asset management firms are on the move

Banking

Key 2022 opportunities and risks for banks

Energy

5 key trends in the energy industry

Healthcare

Innovation is adrenaline for healthcare

Hospitality and restaurants

New loyalty program analytics lead to better strategies

Insurance

Driving an insurance carrier ecosystem strategy

Life sciences

A new procurement paradigm at BDTX

Manufacturing

The manufacturer’s map to asset savings

Media and entertainment

How to achieve NFT business success

Not-for-profit organizations and higher education institutions

4 ways to help recession-proof your not-for-profit

Private equity

PE valuations shift around COVID-19

Real estate and construction

Outlook on commercial real estate and the economy

Retail and consumer products

New loyalty program analytics lead to better strategies

Services

Open the bottleneck of innovation in professional services

Technology and telecommunication

The cost of corruption in tech and telecom

Transportation, logistics, warehousing and distribution

COVID-19 resource center

Advisory

Update your enterprise risk management

Audit

Audit quality and transparency report

Tax

Rightsourcing

ESG

Climate risk trends call for informed action

Digital assets

Blockchain 101 for business: The benefits and risks

Alliances

Economic pressures can crystalize digital transformation

The alyx platform

How we solve with tech

SPAC

The SPAC surge

Human resource services

Winning the war for talent

Mergers and acquisitions

Board insights

CARES act analysis

Paycheck Protection Program Loan Value Calculator

CFO hub

CFOs seize the initiative amid rising economic optimism

COVID-19 resources

D.C. dispatch

The D.C. dispatch

Digital transformation

How to drive automation through a wall of recession

Growth insights

Private equity software industry insights

Industry intersections

New cybersecurity strategies in tech and finance

Private company POV

3 ways a board drives private company success

Workforce evolution

Adapting for today’s evolving workforce

Careers

My career embraces who I am

About Grant Thornton

Welcome to Grant Thornton

Purple Paladin

Meet Women in Training

We speak

We understand more than your business. We understand you.

Golf: Leading the way

Introducing the Grant Thornton Invitational

RECENT SEARCHES