How internal audit can fortify cybersecurity


When you’re trying to stay a step ahead of ransomware attackers, adjusting your organization’s cybersecurity profile can start to seem like an endless game of whack-a-mole.

But it’s a game you must master, as system complexities, interconnected services and accelerating changes have created an explosive risk of business disruption.

As ransomware threats expand, internal audit leaders can play a vital role in delivering value-driven insights that help management and the audit committee understand the organization’s cybersecurity risks, resilience and potential for recovery.

Ransomware attacks can be launched from undetected software vulnerabilities, or when an employee opens a phishing email and clicks a link that unleashes malicious software. Such software can cut to the core of business operations and drive companies to pay multi-million-dollar ransoms. In June, the White House warned corporate executives to reassess defenses against these attacks, after ransomware at a meatpacker disrupted meat production in North America and Australia.


“No company is safe from being targeted by ransomware, regardless of size or location,” wrote Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, adding, “We urge you to take ransomware crime seriously and ensure your corporate cyber-defenses match the threat.” Leaders must ensure that they have called upon their best resources to take dynamic and effective action.




The role of internal audit


Attacks on the rise

Recent news has highlighted cyberattacks that target Log4j, SolarWinds and other emerging vulnerabilities.

Whether attacks begin from these vulnerabilities, phishing emails, infected websites or elsewhere, organizations need an effective incident response and a proactive approach to reduce the risk of future attacks. Your internal audit team can be well-positioned to help you fortify internal systems against the breadth and impact of a ransomware attack.

As cybercrimes accelerate, a crucial role has evolved for internal audit. Internal audit must help their organization anticipate, adapt and respond to these attacks against a backdrop of faulty or neglected systems and practices. Four critical areas often provide openings for these attacks:

  • Cybersecurity resilience: As the list of threats grows, the maturity of cybersecurity resilience often fails to keep pace.
  • Third-party ecosystems: Companies are expanding their reliance on third parties, entrusting them with greater access to organizational data and critical tasks, while monitoring and lifecycle management of third parties has often lagged.
  • Advanced technology solutions: The march of automation, data-rich production cycles and the use of third parties make entire industries vulnerable to cyberattacks.
  • Data governance: Few organizations have a formal and mature governance framework in place to enforce data classification, lifecycle management and technology solutions.


“We’re seeing a move away from looking at strict capabilities and components of cybersecurity into the broader conversation of cybersecurity resilience,” said Grant Thornton Partner in IT and Cybersecurity Internal Audit Scott Peyton. Peyton said that organizations are asking larger questions like “What’s the resilience of the organization to respond, adequately mitigate risk and keep the organization from harm?”




The larger question of resilience

 Scott Peyton

“We’re seeing a move away from looking at strict capabilities and components of cybersecurity into the broader conversation of cybersecurity resilience.”

Scott Peyton

Grant Thornton Partner in IT and Cybersecurity
Internal Audit


Overall cybersecurity resilience is a critical factor in defending against ransomware attacks. It requires organizations to prepare for impacts from cyberattacks that cannot be predicted or prevented. It also requires close collaboration with third-party service providers, intelligence agencies, industry groups, security analysts, customers and supply chains.

The key elements of cybersecurity resilience include:

  • Governance: This includes building collaborative communities and intelligence sharing, assessment and validation, defining and enforcing roles and responsibilities, promoting accurate reporting, and making informed decisions.
  • Detective and protective controls: Some examples of controls are user access reviews, strategic system segmentation and user integrity assurance. These follow the principle of least privilege, ensuring that access is aligned to the minimum access needed to perform a job.
  • Technical capability with optimized controls: This calls for ensuring that the standard response processes to an attack become the minimum acceptable level; reviewing changes in technology; tracking, logging and alerting; and testing the controls through the use of adversary emulation.
  • Response and recovery: It is essential to regularly update incident response plans, train users based on current threats, and build resilience recovery based on the standard recovery processes of backup, disaster recovery and continuity planning.

The most important aspect of cybersecurity resilience is a coordinated defense that merges all of these elements into a unified strategy and architecture.




The evaluation of evaluations

Vikrant Rai

“A lot of times, you’ll see that these technical controls are not configured correctly…”

Vikrant Rai

Grant Thornton Director for IT and Cybersecurity
Internal Audit


To form a coordinated defense, organizations must ensure that their technical controls stay updated and effective across a range of factors. Internal audit can play an invaluable role in evaluating the risk landscape, communicating the impact of a risk materializing, performing technical audits aligned to changing risks, reviewing cybersecurity insurance coverage and ensuring board-level reporting.

Too often, organizations incorrectly assume that implementing technical controls is enough to protect against attacks, said Grant Thornton Director for IT and Cybersecurity Internal Audit Vikrant Rai.

“A lot of times, you’ll see that these technical controls are not configured correctly or are in the process of finding the right balance between protection and enabling business,” Rai said. “It’s kind of a three-legged stool: People, processes and technology. Often, what we see is that there can be some great technology, but the three-legged stool falls down on the side of configuration, overall monitoring, management and ongoing sustainability.”

One effective way to evaluate technical controls is by using a risk-based framework. Internal audit can leverage comprehensive standards such as those established by the National Institute of Standards and Testing (NIST).


These standards and others in the NIST 800 series provide practical guidance on how to address tangible risks with technical controls:


“Having a risk-based approach, taking the right framework and applying it to the audit is going to be critical in how we evaluate the overall effectiveness of these controls,” Rai said.




The plan to respond


When internal audit stays up to date with cybersecurity trends and leading practices, it is well-positioned to independently monitor an organization’s cybersecurity resilience, recommend how the organization can mature its program and update its incident response plan.

There are several opportunities for internal audit to enhance incident response plans.

  • Guidance: Internal audit can provide guidance on a plan that is aligned with cybersecurity policy and procedures while also being easier to implement and monitor.
  • Templates and playbooks: Internal audit can help ensure these are customizable and come preconfigured to automate multistep responses.
  • Tools: Internal audit can help identify tools to assist teams in responding to a greater number of increasingly sophisticated attacks on increasingly complex systems.

When an updated incident response plan is in place, it’s important to battle test the plan and adopt a centralized approach that provides a 360-degree view of an incident.




The test


Internal audit leaders know that organizations need to go on the offensive by aggressively testing their defensive measures. Many use the following advanced approaches in tandem:

  • Proactive cybersecurity assessment: This evaluates an organization’s environment for the presence of attacker activity, using tools like CrowdStrike to search for signs of compromise, technology hygiene issues and lack of controls.
  • Adversary emulation assessment (AEA): This is a controlled execution of a security test that mimics a real-world cyberattack to test the effectiveness of technical controls. It is different from a penetration test because it focuses on specific threat-actor tactics and control areas.

In tandem, these approaches add value by providing robust insights into cybersecurity control risks, system hygiene and potential exposures. They also afford deeper, more focused testing and yield recommendations that help defend against intrusions and respond to threats.

“A proactive cybersecurity assessment will use advanced tools to look for indicators of compromise,” Rai said. “And AEA certainly provides more technical insight into how these technical controls are configured, where the gaps are, how to strengthen cybersecurity and how to go on the offense against threats.”




Our cybersecurity and privacy insights