Internal Auditors Play Hero’s Role in Cybercrime Fight
By Arjun Ruparelia
COVID-19 has dramatically accelerated cybercrime, with a significant change in focus from individuals and small businesses to the critical infrastructures of major corporations and governments. These organizations’ sudden need to shift their employees to remote locations presented a considerable challenge and gave hackers and cybercriminals the perfect opportunity to attack their increasingly vulnerable systems.
According to a report by the Identity Theft Research Centre, there was a 17-percent increase in data breaches in 2021 compared to the previous year.
Understandably, there are growing concerns in boardrooms and regulatory offices about this rise in cybercrime. Under the U.S. Securities and Exchange Commission (SEC) guidance, public companies are expected to address potentially material cybersecurity risks and cyber incidents in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A).
Former U.S. President Barack Obama’s Executive Order (EO) 13636 — Improving Critical Infrastructure Cybersecurity — also highlighted the role of businesses in improving the country’s cybersecurity framework and the need to adapt to rapidly changing regulatory agency expectations and oversight.
This is where internal auditors come in. Let’s explore the crucial role they play in keeping organizations safe in an increasingly dangerous online world.
The Cybercrime Threat Against Businesses
Digging deeper into specific cybersecurity breach methods, a study by a consortium of researchers, including WMG, University of Warwick, found that 86 percent of attacks involved phishing, while just five percent were hacking attempts.
Giving further insight into this phishing method, Dr. Harjinder Lallie from WMG explained that, “Many cyberattacks begin with a phishing campaign, which directs victims to download a file or access a URL. The file or the URL acts as the carrier of malware which, when installed, acts as the vehicle for financial fraud.”
While the pandemic is gradually nearing its end (or so we believe), phishing campaigns haven’t. With businesses continuing their operations remotely, hackers still have ample opportunity to disrupt systems and commit fraud.
The onus is on businesses to find ways to protect their online assets. Building a robust cybersecurity infrastructure has emerged as the best weapon to help organizations, businesses and governments protect their assets from cybercrime.
Digital adoption is vital for businesses to succeed today. Companies are, therefore, obliged to ramp up their budget to expand their digital presence.
While they can deliver fantastic results, the inherent nature of many technologies can increase the risk of cyberattacks. For instance, sharing vital company data over email can be detrimental, as they are easy targets for hackers. They can easily gain control of an employee’s email or social media accounts and gain access to confidential data.
Sensitive data can be also intercepted without the proper security measures. This can lead to intellectual property or financial loss and tarnish a company’s image.
How Internal Auditors Bolster Security
Businesses rely on their internal audit teams to proactively monitor their system for vulnerabilities. Internal auditors, therefore, play a key role in protecting a business against cybercrime by forming the first line of defense.
Information technology and engineering teams work round the clock to improve their company’s digital assets and ensure a safe environment for storing their business’s and client’s information. Internal auditors complement their work by laying out processes and procedures that minimize fraud risk. They assess potential risks to the business’s data and, where required, add internal control to ensure the data’s safety.
The Internal Auditor’s Approach to Risk
Internal auditors can design various mechanisms to prevent and detect risks in an organization’s systems. The internal control structure typically addresses risk at three touchpoints:
Most organizations have security measures to protect their data and other assets from being misused. More prominent organizations usually have better security tools, but since most systems aren’t bulletproof, companies need an internal control system that works as a preventive measure. An internal control system protects a business’s assets against unauthorized access or use, which helps minimize risk.
Internal auditors must check their systems for obsolescence to ensure new threats are not only detected but also addressed as efficiently as old ones. Therefore, internal auditors must regularly test their system’s capability to prevent threats using threat intelligence and behavioral and risk analyses.
It is challenging to control what goes on inside every device connected to an enterprise’s network. Therefore, having a standard response to a threat or attack is vital. When reviewing their company’s cybersecurity tools, internal auditors must also look for disaster recovery plans and incident response protocols.
Internal Auditors Collaborate With Other Experts
An organization’s cybersecurity is the collective responsibility of departments that handle data. Therefore, internal auditors collaborate with several departments while ensuring that the business’s data remains safe.
All employees, from junior to senior, are responsible for ensuring data integrity. They must ignore sensitive client emails, protect assets, ignore spam and ensure they do not visit sites that lack the required protection certificates.
The IT team plays a key role in ensuring data security. They must stay vigilant and address any data liabilities within their systems that could affect the company. The IT team is held accountable for any security breaches and malware attacks against an organization’s systems.
However, internal auditors also have a role to play in maintaining the business data’s integrity. They design an internal control structure to ensure that the processes within other departments don’t leave room for fraud or other loopholes that can compromise data security. For this, they must collaborate with other departments and create an internal control structure that’s both effective and has a minimal impact on efficiency.
Internal auditors often rely on experts for creating an internal control system. An internal auditor is not a security professional and therefore does not have the skills to work with advanced cybersecurity technologies. Hence, the internal audit team must consult subject matter experts and seek their guidance to unlock gaps in the system.
Internal Auditors Must Present Relevant Findings
If the internal auditor finds a relevant event that requires attention, they must present management with details about it. They should also state the reasons for the internal control system’s failure to prevent an adverse event.
An internal auditor isn’t just required to assess an issue. They must also be a strategic advisor to a company’s leaders. They play a critical role in helping organizations mitigate risk through controlled procedures, but to provide value, they need the right set of tools.
CaseWare IDEA can provide internal auditors with a powerful set of functions to perform their roles around cybersecurity more effectively. Curious to learn more? Explore the many features of IDEA today.