Cyber incidents, such as IT outages, data breaches or ransomware attacks, are considered the
Indeed, the cumulative legal, regulatory, reputational and operational cost of a single data breach reached an all-time high of $4.4 million in 2022 and is expected to surpass $5 million in 2023, according to a study by Ponemon Industry. Further, the cost of cybercrime is predicted to hit $8 trillion in 2023 and is expected to grow to $10.5 trillion by 2025 according to Cybersecurity Ventures.
In our digital environment, every company is now an easy target, and every company, large or small, has operations, reputation, brand and revenue pipelines that are potentially at risk from a breach.
While businesses acknowledge that cyber risk is one of their greatest operational threats, navigating the threat is a Catch-22 as vulnerability to cyberattacks is proportional to the scale of digital transformation initiatives like remote capabilities or cloud software. In this context, becoming "less digital" is not a viable route to managing cyber risk, instead highlighting the importance of established lines of defence that control and mitigate risk.
In 2023, the landscape of cyber risks is diverse and exponentially growing in sophistication and volume.
What are the key cyber security threats businesses need to consider?
Severe business interruptions can result from a wide range of cyber-related vectors, including malicious attacks by criminals or nation-backed hackers, human error or technical glitches. Hackers are increasingly targeting both digital and physical supply chains, which provide opportunities to attack multiple companies simultaneously and gain additional leverage for extortion.
Enterprises are particularly vulnerable to cyber risks due to their large scale, complexity and interconnectedness. Furthermore, the increasing use of cloud services and the Internet of Things creates new attack vectors that are difficult to secure. To address these risks, organizations need to develop robust cyber risk management strategies that involve all stakeholders.
Ransomware: Not only is ransomware considered the top cyber threat to both the public and private sectors, but also the crime — cyber or otherwise — is expected to increase the most, according to
Phishing: Second only to ransomware is the threat of phishing, according to Interpol, which is often conducted in tandem with ransomware attacks. Phishing is commonly defined as a technique used by hackers to exfiltrate valuable data or to spread malware. Anyone can be fooled by a targeted phish, as it uses increasingly sophisticated and tailored tactics to emulate a familiar or safe situation in a bid to make the recipient of a phishing attack engage with the hacker.
Business email compromise: A common phishing mechanism is business email compromise. The research company
Business email compromise attacks are no longer limited to traditional email , with attackers leveraging collaboration tools including WhatsApp, LinkedIn, Facebook, Twitter and others.
Brand impersonation: Hackers mostly
Phishing via brand or leadership impersonation attacks highlights a core area of enterprise cybersecurity vulnerability — the actions of individual employees. Whether engaging with a risky email, or using a personal device to access corporate data in an insecure manner, poor security habits and lack of knowledge among users are making organizations vulnerable to potential risks.
The Three Lines Model: roles and responsibilities
An approach to improve the effectiveness and efficiency of risk and control functions within organizations is provided in the Institute of Internal Auditors' Three Lines Model, issued in July 2020 and designed to help internal auditors develop competence in providing assurance over cybersecurity risks. Ensuring the three lines are properly segregated and operating effectively is an essential step in evaluating the internal audit activity's role in cybersecurity.
Additionally, an escalation protocol should be established to define roles and responsibilities involved in identifying and escalating risks that exceed the organization's risk appetite — the level of risk that an organization is willing to accept. The second line comprises risk, control and compliance oversight functions responsible for ensuring that first line processes and controls exist and are effectively operating.
These functions may include groups responsible for ensuring effective risk management and for monitoring risks and threats in the cybersecurity space. As a third line role, the internal audit activity provides senior management and the board with independent and objective assurance on governance, risk management and controls. This includes assessing the overall effectiveness of the activities performed by the first and second lines in managing and mitigating cybersecurity risks and threats.
The internal audit activity plays a crucial role in assessing an organization's cybersecurity posture and risks by considering:
- Who has access to the organization's most valuable information and data?
- Which assets are the likeliest targets for cyberattacks?
- Which systems would cause the most significant disruption if compromised?
- Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal or reputational damage to the organization?
- Is management prepared to react quickly if a cybersecurity incident occurred?
How to conduct an internal audit on cybersecurity
To effectively audit cyber risks, internal audit needs to possess certain key capabilities. These include understanding of the latest cyber threats and trends, knowledge of the organization's IT environment and cybersecurity framework, and expertise in risk management and data analytics.
Internal audit should also take a collaborative approach, translating complex IT and risk management frameworks into engaging board-level solutions. The role entails working closely with other functions such as IT, risk management and compliance to help identify and manage cyber risks while partnering with the board to continually align the cybersecurity policy with the corporate strategy.
To conduct a strong internal audit of cyber risk, organizations need to adopt a risk-based approach. This involves identifying the most critical assets and systems that need to be protected, both internal and external, and assessing the risks associated with these assets. Internal audit should also evaluate the effectiveness of existing controls and identify areas for improvement. This can be done through testing and simulation exercises such as penetration testing and tabletop exercises.
One area where organizations tend to fall short is in cyber preparedness. Internal audit can play a crucial role in ensuring cyber risk management and preparedness are integrated with the organization's overall risk management strategy. Overall, the components of enterprise cyber preparedness are essential for organizations to effectively manage cyber risks and protect their business operations, customers, and reputation.
Components of enterprise cyber preparedness
The components of enterprise cyber preparedness are the various elements that make up an organization's overall approach to managing cyber risks. These components include:
- Governance and strategy: This component includes the organization's cybersecurity policies, procedures and frameworks, as well as its risk management strategy for addressing cyber risks.
- Risk assessment: The organization should conduct regular risk assessments to identify and prioritize cyber risks, including the potential impact on business operations, data confidentiality and customer trust.
- Incident response: The organization should have a comprehensive incident response plan in place that outlines the roles and responsibilities of key personnel, the steps to be taken in the event of a cyber incident, and the procedures for restoring normal business operations.
- Security controls: The organization should implement appropriate security controls to protect its systems, networks and data from cyber threats. These controls may include firewalls, intrusion detection and prevention systems, access controls, encryption and anti-virus software.
- Employee awareness and training: Employees are often the first line of defense against cyber threats, so the organization should provide regular awareness and training programs to help them identify and respond to cyber risks.
- Third-party risk management: The organization should also assess and manage the cybersecurity risks associated with third-party vendors and service providers, including cloud providers and other outsourcing partners.
- Continuous monitoring and improvement: Finally, the organization should regularly monitor its cybersecurity posture and assess the effectiveness of its controls, policies, and procedures. This will help identify any gaps or weaknesses in the organization's approach to managing cyber risks and enable the organization to continually improve its cyber preparedness.
A key area for improvement is in supply chain management. Many organizations rely on third-party vendors and suppliers for critical services and products, and these vendors can be a source of cyber risks. Internal audit should assess the cybersecurity practices of third-party vendors and suppliers and ensure they comply with the organization's cybersecurity standards.
In conclusion, cyber risks are a growing threat to organizations, and internal audit has become a necessary line of defense in organizational management of these risks. Assessing the risk landscape, adding and reviewing internal controls, and using data analytics tools can make the difference. By taking a collaborative and risk-based approach, internal audit can help organizations navigate the complex and constantly evolving landscape of cyber risks.
