Close
Close

How internal audit can fortify cybersecurity

RFP
Abstract building Superstore When you’re trying to stay a step ahead of ransomware attackers, adjusting your organization’s cybersecurity profile can start to seem like an endless game of whack-a-mole.

But it’s a game you must master, as system complexities, interconnected services and accelerating changes have created an explosive risk of business disruption.

As ransomware threats expand, internal audit leaders can play a vital role in delivering value-driven insights that help management and the audit committee understand the organization’s cybersecurity risks, resilience and potential for recovery.

Ransomware attacks can be launched from undetected software vulnerabilities, or when an employee opens a phishing email and clicks a link that unleashes malicious software. Such software can cut to the core of business operations and drive companies to pay multi-million-dollar ransoms. In June, the White House warned corporate executives to reassess defenses against these attacks, after ransomware at a meatpacker disrupted meat production in North America and Australia.

 
Attacks on the rise
Recent news has highlighted cyberattacks that target Log4j, SolarWinds and other emerging vulnerabilities.

Whether attacks begin from these vulnerabilities, phishing emails, infected websites or elsewhere, organizations need an effective incident response and a proactive approach to reduce the risk of future attacks. Your internal audit team can be well-positioned to help you fortify internal systems against the breadth and impact of a ransomware attack.
“No company is safe from being targeted by ransomware, regardless of size or location,” wrote Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, adding, “We urge you to take ransomware crime seriously and ensure your corporate cyber-defenses match the threat.” Leaders must ensure that they have called upon their best resources to take dynamic and effective action.

The role of internal audit As cybercrimes accelerate, a crucial role has evolved for internal audit. Internal audit must help their organization anticipate, adapt and respond to these attacks against a backdrop of faulty or neglected systems and practices. Four critical areas often provide openings for these attacks:

  • Cybersecurity resilience: As the list of threats grows, the maturity of cybersecurity resilience often fails to keep pace.
  • Third-party ecosystems: Companies are expanding their reliance on third parties, entrusting them with greater access to organizational data and critical tasks, while monitoring and lifecycle management of third parties has often lagged.
  • Advanced technology solutions: The march of automation, data-rich production cycles and the use of third parties make entire industries vulnerable to cyberattacks.
  • Data governance: Few organizations have a formal and mature governance framework in place to enforce data classification, lifecycle management and technology solutions.

 
Amy Flynn“We’re seeing a move away from looking at strict capabilities and components of cybersecurity into the broader conversation of cybersecurity resilience.” --   Scott Peyton
Grant Thornton Partner in IT and Cybersecurity
Internal Audit
“We’re seeing a move away from looking at strict capabilities and components of cybersecurity into the broader conversation of cybersecurity resilience,” said Grant Thornton Partner in IT and Cybersecurity Internal Audit Scott Peyton. Peyton said that organizations are asking larger questions like “What’s the resilience of the organization to respond, adequately mitigate risk and keep the organization from harm?”

The larger question of resilience Overall cybersecurity resilience is a critical factor in defending against ransomware attacks. It requires organizations to prepare for impacts from cyberattacks that cannot be predicted or prevented. It also requires close collaboration with third-party service providers, intelligence agencies, industry groups, security analysts, customers and supply chains.

The key elements of cybersecurity resilience include:

  • Governance: This includes building collaborative communities and intelligence sharing, assessment and validation, defining and enforcing roles and responsibilities, promoting accurate reporting, and making informed decisions.
  • Detective and protective controls: Some examples of controls are user access reviews, strategic system segmentation and user integrity assurance. These follow the principle of least privilege, ensuring that access is aligned to the minimum access needed to perform a job.
  • Technical capability with optimized controls: This calls for ensuring that the standard response processes to an attack become the minimum acceptable level; reviewing changes in technology; tracking, logging and alerting; and testing the controls through the use of adversary emulation.
  • Response and recovery: It is essential to regularly update incident response plans, train users based on current threats, and build resilience recovery based on the standard recovery processes of backup, disaster recovery and continuity planning.

The most important aspect of cybersecurity resilience is a coordinated defense that merges all of these elements into a unified strategy and architecture.

The evaluation of evaluations To form a coordinated defense, organizations must ensure that their technical controls stay updated and effective across a range of factors. Internal audit can play an invaluable role in evaluating the risk landscape, communicating the impact of a risk materializing, performing technical audits aligned to changing risks, reviewing cybersecurity insurance coverage and ensuring board-level reporting.

 
Vikrant Rai“A lot of times, you’ll see that these technical controls are not configured correctly…” --   Vikrant Rai
Grant Thornton Director for IT and Cybersecurity
Internal Audit
Too often, organizations incorrectly assume that implementing technical controls is enough to protect against attacks, said Grant Thornton Director for IT and Cybersecurity Internal Audit Vikrant Rai.

“A lot of times, you’ll see that these technical controls are not configured correctly or are in the process of finding the right balance between protection and enabling business,” Rai said. “It’s kind of a three-legged stool: People, processes and technology. Often, what we see is that there can be some great technology, but the three-legged stool falls down on the side of configuration, overall monitoring, management and ongoing sustainability.”

One effective way to evaluate technical controls is by using a risk-based framework. Internal audit can leverage comprehensive standards such as those established by the National Institute of Standards and Testing (NIST).

charts1

These standards and others in the NIST 800 series provide practical guidance on how to address tangible risks with technical controls:

charts2

“Having a risk-based approach, taking the right framework and applying it to the audit is going to be critical in how we evaluate the overall effectiveness of these controls,” Rai said.

The plan to respond When internal audit stays up to date with cybersecurity trends and leading practices, it is well-positioned to independently monitor an organization’s cybersecurity resilience, recommend how the organization can mature its program and update its incident response plan.

There are several opportunities for internal audit to enhance incident response plans.

  • Guidance: Internal audit can provide guidance on a plan that is aligned with cybersecurity policy and procedures while also being easier to implement and monitor.
  • Templates and playbooks: Internal audit can help ensure these are customizable and come preconfigured to automate multistep responses.
  • Tools: Internal audit can help identify tools to assist teams in responding to a greater number of increasingly sophisticated attacks on increasingly complex systems.

When an updated incident response plan is in place, it’s important to battle test the plan and adopt a centralized approach that provides a 360-degree view of an incident.

The test Internal audit leaders know that organizations need to go on the offensive by aggressively testing their defensive measures. Many use the following advanced approaches in tandem:

  • Proactive cybersecurity assessment: This evaluates an organization’s environment for the presence of attacker activity, using tools like CrowdStrike to search for signs of compromise, technology hygiene issues and lack of controls.
  • Adversary emulation assessment (AEA): This is a controlled execution of a security test that mimics a real-world cyberattack to test the effectiveness of technical controls. It is different from a penetration test because it focuses on specific threat-actor tactics and control areas.


charts3

In tandem, these approaches add value by providing robust insights into cybersecurity control risks, system hygiene and potential exposures. They also afford deeper, more focused testing and yield recommendations that help defend against intrusions and respond to threats.

“A proactive cybersecurity assessment will use advanced tools to look for indicators of compromise,” Rai said. “And AEA certainly provides more technical insight into how these technical controls are configured, where the gaps are, how to strengthen cybersecurity and how to go on the offense against threats.”

Contacts:

Scott Peyton Scott Peyton
Partner, IT and Cybersecurity Internal Audit
T +1 303 813 3971


Vikrant Rai Vikrant Rai
Director, IT and Cybersecurity Internal Audit
T +1 212 624 5212