Managing cyber risks: The role of Internal Audit

June 28, 2023

Doron Rozenblum, Managing Partner at Kreston-Ezra Yehuda-Rozenblum, was recently featured in Accounting Today, sharing insights on why internal audit is the key to cyber risk management. Cyber incidents, such as IT outages, data breaches, and ransomware attacks, are the highest global risk. Data breaches are particularly concerning for companies, with costs reaching a record high of $4.4 million in 2022 and projected to exceed $5 million in 2023. Other significant risks include ransomware attacks and failures in digital supply chains or cloud services. Cyber-related vectors, including criminal attacks, human error, and technical glitches, can cause severe disruptions to businesses. Hackers now target both digital and physical supply chains, posing a greater threat to small and mid-sized businesses, while large corporations invest more in cybersecurity.

The evolving landscape of cyber risks: Threats and trends

In the digital landscape, every company, regardless of size, is vulnerable to breaches that can jeopardise operations, reputation, brand, and revenue pipelines. The cyber risk landscape in 2023 is diverse and continuously evolving, with cybercrime costs predicted to reach $8 trillion by 2023 and $10.5 trillion by 2025.

Ransomware attacks, particularly through phishing, pose the greatest threat in both public and private sectors. These attacks are not only increasing in number but also in financial and reputational costs. Phishing involves hackers tricking individuals into sharing valuable data or spreading malware through deceptive emails, often impersonating higher-ranking individuals or trusted institutions. Business Email Compromise (BEC) is another serious issue, often associated with phishing. Attackers use collaboration tools beyond email, such as chat and mobile messaging applications, to carry out their schemes. Hackers frequently abuse Microsoft’s brand in phishing attacks, and brand impersonation attacks are concerning due to poor security habits and lack of user knowledge.

Fraud, especially identity theft, is trending digitally as more people engage in online banking and shopping. In 2022, consumers reported losing nearly $9 billion to fraud, a 30% increase from the previous year, with a significant number of identity theft reports.

Strengthening cyber risk management: Strategies for Internal Audit

Enterprises face heightened vulnerability to cyber risks due to their size, complexity, and interconnectedness. The use of cloud services and the Internet of Things (IoT) creates new attack vectors that are challenging to secure. Robust cyber risk management strategies involving all stakeholders are crucial to address these risks.

While artificial intelligence (AI) holds potential, it can also be a threat vector. AI systems and platforms should be implemented with caution due to the potential for inaccurate assumptions and conclusions drawn from unreliable sources.

Internal audit has evolved as a critical defence against cyber risks. It extends beyond financial areas to include cybersecurity. To effectively audit cyber risks, an internal audit requires understanding the latest threats, knowledge of the organisation’s IT environment and cybersecurity framework, expertise in risk management and data analytics, and collaboration with IT, risk management, and compliance functions.

A risk-based approach is necessary for a strong internal audit of cyber risk. Critical assets and systems must be identified and protected, existing controls should be evaluated, and areas for improvement should be identified. Cyber risk management should be integrated into the organisation’s overall risk management strategy, and regular updates on the cyber risk profile and emerging threats should be provided to the board and senior management. Supply chain management is another critical area that requires assessment of vendors’ and suppliers’ cybersecurity practices.

In conclusion, cyber risks pose a growing threat to organisations, and internal audit plays a vital role in managing these risks. Assessing the risk landscape, reviewing internal controls, and utilising data analytics tools are crucial for effective management. By adopting a collaborative and risk-based approach, internal audit can help organisations navigate the complex and evolving cyber risk landscape.

For more information, click here.