By Morgan International Staff Writers
The internal audit function provides a safety net for companies by identifying risk, and offering advice on how to manage it. With widespread and increasingly sophisticated cyber threats, the risk to business has become alarmingly high in recent years.
In fact, a 2017 government survey shows that cyber breaches or attacks affected nearly half of firms in the UK during the past year.¹ So how can an internal audit department help their company reduce exposure to cyber attacks, and deal with them effectively if they occur?
Independent cyber risk assessment
A risk assessment by the internal audit function establishes the strengths and weaknesses of any existing strategy, and helps to implement a stronger plan to deal effectively with current threats.
A completed assessment would include:
- Potential origins of a cyber attack: for example, an organised gang of cyber criminals, a single independent hacker, business competitors, or someone working for the company
- Reason for an attack: potentially financial, purely disruptive, reputation damage, or theft of strategic plans
- How an attack might occur: phishing emails, stolen personal information, vulnerabilities in hardware or software programmes
Advise management on the level of risk and its management
Having assessed the measures currently in place, internal audit can advise management on their effectiveness, and suggest potential changes or updates. They will provide information on:
- Existing and emerging cyber threats
- Vulnerability of the business to cyber attack
- A strategy to mitigate and manage risks in the long-term
- Plans to deal with the crisis if an attack occurs
Once new systems are in place, or existing cybersecurity measures updated, internal audit carry out what is potentially the most important aspect of their role – testing compliance and discovering the effectiveness or otherwise of security and recovery plans.
After an attack
Internal audit should work alongside the IT department at every stage, and if the company is unfortunate enough to suffer an attack, use newly-found information to re-evaluate plans in the future.
Cybersecurity is a critical issue for every business - even the smallest enterprise is at great risk. It is crucial, therefore, that personnel understand how to prevent such an attack on a day-to-day basis. To increase your knowledge in this area and help to safeguard your company, have a look at the accredited training courses on our website.