Find the Easy Wins in Cybersecurity for Internal Audit
With a new year come new challenges, and based on trends from 2020, among the biggest challenges that internal audit will face in 2021 are cybersecurity and fraud.
As you may have noticed from the headlines, cybersecurity incidents and fraud have increased significantly since the pandemic began. Complaints to the FBI’s Cyber Division are up 400% since prior to the COVID-19 pandemic.
Given the global disruptions in 2020, this is hardly surprising—cyber fraud spikes in times of vulnerability and change in people’s personal and professional lives. The risk of system breaches has also expanded as employees were forced to work remotely on short notice, with little technological or security infrastructure to support them.
Cyber threats are one of the most frequent and damaging risks faced by organizations today. In 2020, data breaches cost companies an average of $3.86 million per breach. That kind of cost can be fatal for many businesses.
Internal audit needs to bolster cyber resilience within organizations to mitigate this threat. As auditors, you need to be establishing, enhancing, or reviewing your organization’s cybersecurity strategy. And, yes, today a cybersecurity strategy and action plan are essential must-haves for all organizations.
Find the Easy Wins
Cybersecurity can seem over-complicated as a concept. Organizations’ perception that they have to have a comprehensive strategy in place right now can lead to a kind of paralysis. Intimidated by the complexity of assembling such a plan, many companies will put off the decision-making and never complete cybersecurity preparations.
If this sounds familiar, instead of doing nothing, look for some low hanging fruit that will begin to offer some immediate protection. At the same time, you consider other elements of a more comprehensive approach to cybersecurity.
An easy win can often be had simply by looking at the software used within your organization.
The Excel Achilles’ Heel
To begin this search, look no further than Excel, the ubiquitous spreadsheet program on which most organizations are over-reliant. Dealing with your exposure via Excel is a quick win while you work on an overall cybersecurity plan.
Excel presents unique security challenges. It is routinely used in situations it was not designed for, and it lacks any protection for data security. Anyone emailed a spreadsheet can alter the data, either deliberately or accidentally, and pass it along with no one the wiser. While it is possible to lock or password protect a spreadsheet, these protections are minimal and easily defeated (particularly by a motivated party).
But you don’t even need to be concerned about malice, necessarily. Simple human and programming errors can be disastrous when it comes to Excel.
Take, for example, the Excel-related snafu that Public Health England had recently in which nearly 16,000 COVID-19 test results went missing. As it turns out, Public Health England had input so much data into the Excel sheet they were using to track test results that they exceeded the maximum number of rows that an Excel file can hold—in new versions of the program that is 1,048,576 rows, but in older versions still in use by many organizations that’s just 65,536. When new data was added, the program essentially ‘forgot’ the rows that got pushed off the bottom of the sheet.
Similarly, in 2013, an Excel error at JPMorgan hid the loss of almost $6 billion US after a cell in a spreadsheet was mistakenly set to divide by the sum of two interest rates, rather than by the average.
While these are not instances of fraud themselves, they show the program’s fragility and the kind of pervasive vulnerabilities that can be exploited to commit fraud.
Moving Beyond Excel
Moving into 2021, Internal Audit will need to offer input to management on how best to balance cyber risk and business needs. Adopting a secure internal audit software with built-in information security is an easy way to eliminate some of the Excel-related vulnerabilities your organization may face.
Caseware’s IDEA Data Analysis Software is a comprehensive, powerful, and easy-to-use data analysis solution designed by audit experts. Whether you want to identify anomalies, trends, or patterns, IDEA offers anti-fraud solutions with built-in information security to protect your data and your business.
To find out more about non-Excel-based solutions and how Caseware’s IDEA can help protect your organization from fraud, download our free whitepaper, Beyond Excel, today.