For internal auditors, the NTAS warning should spur quick action to assess or reassess their organizations’ cybersecurity posture. This is not just limited to U.S.-based auditors, as many U.S. companies have operations around the world that could be targets.
Organizations today are highly dependent on communications and other systems that rely on cyber networks. Attacks that compromise those networks can be more than just disruptive; they can be devastating. As the world has embraced the ease of connectivity in everything from home-based security to the operation of massive electrical power systems, it also has grown increasingly vulnerable to cyberattacks that could disrupt or even cripple whole economies.
Business Insider published an article last year that laid out just how such attacks could happen. It examined troubling and sobering scenarios that depict just how a coordinated and multipronged attack could take down fundamental systems upon which business and commerce rely. It accurately compared the fallout from such an attack to a major natural disaster in which power, water, and transportation systems are shut down, and modern business grinds to a halt.
Some might scoff at the likelihood of such a doomsday scenario, but that likelihood increases every day as the world becomes increasingly dependent on interconnected and highly automated systems. This is why protecting public infrastructure from cyber and physical attacks is vital.
The IIA published a Global Knowledge Brief for members only last year that addresses internal audit’s role in improving critical infrastructure resilience. Strategic Public Asset Protection looks at internal audit’s role within public sector entities that are responsible for response and recovery to natural or manmade threats to strategic public assets, such power grids or water systems. It also addresses auditing the adequacy and operating effectiveness of controls over preparedness across agencies and between levels of government.
Protiviti provided another resource last week when it published a flash report that presents a concise and useful outline for conducting an organizational cybersecurity assessment. The nine-point review covers basic but fundamental steps to evaluating how well an organization protects against, detects, and manages cyberattacks. While I won’t repeat the details of the report here, I can share the nine steps:
- Enhance security awareness.
- Identify the most critical systems.
- Implement mitigating controls to protect those critical technologies.
- Evaluate all access into systems and networks.
- Increase the sophistication of protection and detection strategies.
- Seek and share the latest cyberthreat information.
- Refresh the risk assessment process as it relates to cyberthreats more than once a year.
- Ensure the organization has a sound, up-to-date incident response plan.
- Ensure cyber defenses are adequately funded and staffed to manage the evolving risks and threats.
It is easy to dismiss the likelihood of a massive and crippling cyberattack as far-fetched or just another Black Swan. However, Black Swans — by definition events with low probability and high impact — have a way of showing up from time to time. Being prepared for them, especially when the stakes are so high, is imperative.
As always, I look forward to your comments.