As cyber-threats persist, experts are prodding internal auditors to get more involved in at least identifying the risks, even if they aren’t information technology experts.
At a recent conference of the Institute of Internal Auditors, internal audit leaders who are on the front lines of the escalating cyber-war say there is more the internal audit department can and should do to bolster their organizations’ efforts. “The biggest thing you can do is help identify risk,” said Kelly Barrett, vice president of internal audit and corporate compliance at Home Depot, which suffered a blistering cyber-attack that so far has cost the company more than $230 million.
Home Depot began an extensive IT security and privacy risk assessment in 2010, said Barrett, but the company was not quick enough in implementing its risk mitigation strategy. The company’s risk assessment aligned nicely with the cyber-security framework issued in 2013 by the National Institute of Standards and Technology, providing “good validation” of the company’s risk assessment, she said.
Internal audit shops might find the enormity of the cyber-threat and the NIST framework daunting, especially if the staff is not deep in IT skills, but Barrett said professionals should not be deterred. “You don’t have to be an IT expert to do this risk assessment,” she said. “You can do it with really smart auditors who can ask lots of questions.”
As a starting point, said Barrett, internal auditors can leverage what they are already doing under Sarbanes-Oxley to scrutinize user access and segregation of duties. “Just do a deeper dive that wouldn’t be included in SOX,” she said. “We are experts in access management. You can do the inventory here. You’re not telling them how they need to technically fix things. It’s just what do we have in place, and what do we not have in place.”
Raj Chaudhary, a principal in risk consulting at Crowe Horwath who leads the security and privacy services group, says a comprehensive risk assessment must be done with the collaboration and cooperation of everyone in all three lines of defense. “It’s not something that internal audit can do on its own,” he says. “A security team cannot do whatever it wants to do. It has to involve people who really understand what is the important data you are trying to protect.”
“You don’t have to be an IT expert to do this risk assessment. You can do it with really smart auditors who can ask lots of questions.”
Kelly Barrett, VP of Internal Audit & Corporate Compliance, Home Depot
Chaudhary advocates a six-step approach to the risk assessment that begins with simply identifying all the critical data in the organization, then determining where it is stored and how it moves through the organization. The process continues with pairing threats, like unpatched systems or unauthorized administrative access, with vulnerabilities, like weaknesses in patch management or ineffective administrative account management.
“This is not the time for internal audit to be saying: what should I even do?” says Chaudhary. That was the same message delivered by Theresa Grafenstine, who serves as the top internal auditor at the U.S. House of Representatives with the title of inspector general. She was disheartened to find the latest data from the IIA’s newest Pulse of the Profession report shows a big difference between what internal auditors believe they should do with respect to cyber-threats, and what’s actually happening.
For example, 69 percent said internal audit should make significant effort to communicate on cyber-risk to the executive board and management, but only 40 percent actually do so. More than half said internal audit should ensure communication and coordination among all parties regarding the risks, but only one-third actually take on that task. In terms of providing assurance over the organization’s readiness and response to cyber-threats, 69 percent said internal audit should, but 26 percent said internal audit does.
“That’s an incredible gap,” said Grafenstine. “Is it compliance myopia?” She fears internal audit as a profession has become too checklist-minded. “If we approached driving a car the way we approached audits, always looking at the risks that are behind us, we would kill somebody. It’s the things out ahead of us that we don’t understand. That’s where we need to focus.”
The following graph from the IIA is a comparison of ideal and actual levels of effort concerning cyber-security.
Source: Institute of Internal Auditors
Grafenstine said if the enormity is too much for a given internal audit department to tackle, then go for the low-hanging fruit. “In 91 percent of all targeted attacks, it starts with a phish,” or an e-mail sent to an employee disguised to look like legitimate business communication, she said. “It’s someone sending an e-mail and someone clicking on it. If you could just get them to stop clicking on these links, that’s 91 percent.”
Training is critical, but so is testing employees with “white-hat hacking,” said Grafenstine. At the House, staff members plan and deploy false e-mails just to see if those receiving them are being alert. “I plant a flag to let them know we got in,” she says.
Marcus Christian, a partner with law firm Mayer Brown in cyber-security and data privacy, says phish tests are effective in seeing how alert employees are and where more training might be necessary. “As employees find they were tested and didn’t pass the test, it will make them more vigilant,” he says.
The Internal Revenue Service recently alerted companies to a phishing attack that has snared a number of companies where e-mails disguised to look like internal executive requests have lured employees to share W-2 data. Fraudsters are improving their tactics, says Christian, making it all the more difficult for companies to stay a step ahead.
One of the factors that makes a company more susceptible is having weak controls over who has access to such information or what may be sent by e-mail, says Christian. “Companies need to have protocols saying we would never send that information by e-mail, or there would be certain requirements that have to be met so that it’s not so easy for this to happen,” he says.
Phishing in particular is escalating because it works, says Christian. “It relies on social engineering, so you don’t have to be all that technically proficient, and it’s lucrative,” he says. “We live in a cyber-world and, in some ways, we all live in a bad neighborhood now.”