Managing cyber risks: The role of Internal Audit

June 28, 2023

Doron Rozenblum, Managing Partner at Kreston-Ezra Yehuda-Rozenblum, was recently featured in Accounting Today, sharing insights on why internal audit is the key to cyber risk management. Cyber incidents, such as IT outages, data breaches, and ransomware attacks, are the highest global risk. Data breaches are particularly concerning for companies, with costs reaching a record high of $4.4 million in 2022 and projected to exceed $5 million in 2023. Other significant risks include ransomware attacks and failures in digital supply chains or cloud services. Cyber-related vectors, including criminal attacks, human error, and technical glitches, can cause severe disruptions to businesses. Hackers now target both digital and physical supply chains, posing a greater threat to small and mid-sized businesses, while large corporations invest more in cybersecurity.

The evolving landscape of cyber risks: Threats and trends

In the digital landscape, every company, regardless of size, is vulnerable to breaches that can jeopardise operations, reputation, brand, and revenue pipelines. The cyber risk landscape in 2023 is diverse and continuously evolving, with cybercrime costs predicted to reach $8 trillion by 2023 and $10.5 trillion by 2025.

Ransomware attacks, particularly through phishing, pose the greatest threat in both public and private sectors. These attacks are not only increasing in number but also in financial and reputational costs. Phishing involves hackers tricking individuals into sharing valuable data or spreading malware through deceptive emails, often impersonating higher-ranking individuals or trusted institutions. Business Email Compromise (BEC) is another serious issue, often associated with phishing. Attackers use collaboration tools beyond email, such as chat and mobile messaging applications, to carry out their schemes. Hackers frequently abuse Microsoft’s brand in phishing attacks, and brand impersonation attacks are concerning due to poor security habits and lack of user knowledge.

Fraud, especially identity theft, is trending digitally as more people engage in online banking and shopping. In 2022, consumers reported losing nearly $9 billion to fraud, a 30% increase from the previous year, with a significant number of identity theft reports.

Strengthening cyber risk management: Strategies for Internal Audit

Enterprises face heightened vulnerability to cyber risks due to their size, complexity, and interconnectedness. The use of cloud services and the Internet of Things (IoT) creates new attack vectors that are challenging to secure. Robust cyber risk management strategies involving all stakeholders are crucial to address these risks.

While artificial intelligence (AI) holds potential, it can also be a threat vector. AI systems and platforms should be implemented with caution due to the potential for inaccurate assumptions and conclusions drawn from unreliable sources.

Internal audit has evolved as a critical defence against cyber risks. It extends beyond financial areas to include cybersecurity. To effectively audit cyber risks, an internal audit requires understanding the latest threats, knowledge of the organisation’s IT environment and cybersecurity framework, expertise in risk management and data analytics, and collaboration with IT, risk management, and compliance functions.

A risk-based approach is necessary for a strong internal audit of cyber risk. Critical assets and systems must be identified and protected, existing controls should be evaluated, and areas for improvement should be identified. Cyber risk management should be integrated into the organisation’s overall risk management strategy, and regular updates on the cyber risk profile and emerging threats should be provided to the board and senior management. Supply chain management is another critical area that requires assessment of vendors’ and suppliers’ cybersecurity practices.

In conclusion, cyber risks pose a growing threat to organisations, and internal audit plays a vital role in managing these risks. Assessing the risk landscape, reviewing internal controls, and utilising data analytics tools are crucial for effective management. By adopting a collaborative and risk-based approach, internal audit can help organisations navigate the complex and evolving cyber risk landscape.

For more information, click here.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	This cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-performance	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
device_id	10 years	Cookie used to maintain a local copy of the user's unique identifier.
viewed_cookie_policy	11 months	This cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not a user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
currency	1 year	This cookie is used to store the currency preference of the user.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
ac_enable_tracking	1 month	This cookie is set by Active Campaign to denote that traffic is enabled for the website.
device_view	1 month	This cookie is used for storing the visitor device display inorder to serve them with most suitable layout.

Cookie	Duration	Description
__kla_id	2 years	Cookie set to track when someone clicks through a Klaviyo email to a website.
_ga	2 years	This cookie is installed by Google Analytics. It is used to calculate visitor, session and campaign data and it also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors.
_ga_M0XVMQMRZ1	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_188891991_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_gtag_UA_7661078_5	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. It is used to store information on how visitors use a website and helps to create an analytics report on how the website is performing. The data collected includes the number of visitors, the source of visitors and the pages visited in an anonymous form.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	16 years 5 months 19 days 16 hours 12 minutes	These cookies are set via embedded YouTube videos. They register anonymous statistical data e.g. how many times the video is displayed and what settings are used for playback. No sensitive data is collected unless you log in to your Google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
hl	1 year	No description available.
ln_or	1 day	No description
prism_800686921	1 month	No description
SFSESSIDPROD	2 days	No description
SFSESSIDPROD_SH	session	No description

Choose your business type

Latest news

Kreston Global announces new Singapore firm

Accountancy services

Advisory services

Audit and Assurance

Outsourcing services

Tax services

Indirect taxes

Client success stories

Biosceptre, UK, Australia, UAE

Our network

Insight

Sustainability

Our membership

Opportunities

Our history

News

Managing cyber risks: The role of Internal Audit

The evolving landscape of cyber risks: Threats and trends

Strengthening cyber risk management: Strategies for Internal Audit