October 11, 2020
Published: Internal Auditor
By: Richard Chambers
Cybersecurity remains one of the top and most vexing risks facing organizations large and small. Even as many in the global community face existential challenges from the COVID-19 pandemic, the ever-evolving risk of cyberattacks continues to find new ways to challenge controls and processes. And it only promises to become even more of a threat.
As we begin National Cybersecurity Awareness Month in the United States, internal auditors worldwide should be reminded of the urgency to keep up with changes in this risk area. Cybersecurity touches virtually every aspect of our organizations, from data collection, protection, and privacy to security concerns about the ubiquitous home work environment created by the pandemic.
Cyberthreats to organizations are well-documented:
§ The average cost of a data breach is $3.86 million (IBM).
§ Data breaches exposed 4.1 billion records in the first half of 2019 (RiskBased).
§ 86% of breaches were financially motivated, and 10% were motivated by espionage (Verizon).
§ Ransomware accounts for 27% of malware incidents (Verizon).
This year, the U.S. Cybersecurity and Infrastructure Security Agency is emphasizing personal accountability as part of Cybersecurity Awareness Month and promoting the social media hashtag #BeCyberSmart.
The IIA is doing its part, as well. Internal Auditor magazine launched a four-week online cybersecurity series, 20 Questions Internal Auditors Should Be Asking. Each week this month, the series will examine a key area that practitioners should explore as they look to help protect their organizations. Each installment provides five questions to consider, beginning with five cyber-related questions for the C-suite.
I mentioned earlier that cybersecurity continues to evolve as a major threat. Even as organizations become more digitally savvy from the boardroom to the mailroom, the growing reliance on technology and connected devices adds new wrinkles to a risk that is already insidiously complex. What’s more, the pandemic is speeding up the pace of digital change.
A recently published study by IBM’s Institute for Business Value confirms what many have noted anecdotally: Organizations are accelerating their digital transformation. The report, COVID-19 and the Future of Business, finds a fundamental mindset change about technology induced by the pandemic.
From the report:
“The COVID-19 pandemic has forever altered how organizations around the world operate. Some 55 percent of respondents say the pandemic has resulted in ‘permanent changes to our organizational strategy.’ An even larger 60 percent say COVID-19 has ‘adjusted our approach to change management’ and ‘accelerated process automation,’ with 64 percent acknowledging a shift to more cloud-based business activities.”
That single paragraph from the report packs a big punch. It provides strong evidence that response to COVID-19 has evolved beyond crisis management to embracing technology at levels not seen before. This also increases the pressure on internal audit to expands its own IT and cyber skills to keep pace with organizations that are quickly becoming more digitally engaged. Additionally, as practitioners are limited in their ability to audit on site because of the pandemic, they will have to rely more than ever on technology to help them gather and verify evidence during engagements.
I have written before about the dangers of internal audit being resistant to change, especially in adopting and adapting to new technology. This marked acceleration of digital transformation makes it all the more imperative for internal audit to have its own digital epiphany.