When discussing cybersecurity, Sajay Rai, CPA, likes to compare an organization’s network and systems to a castle.
The moat surrounding the castle is analogous to the network’s outer defenses. But additional defenses exist, too—a gate, sentries, and locks. And the crown jewels, locked away in a safe place, are protected more than anything else in the castle.
Rai said the additional layers of defense also should exist in an organization’s systems, with the most sensitive information protected by the most layers. According to Rai, organizations that for many years invested security resources primarily into their outer network perimeter now have learned that it’s important to beef up other layers of defense, too.
“Just protecting the outer gate of the castle, so to speak, is not enough,” Rai said. “You need a layered defense. Although a network perimeter is definitely that first layer of defense, it should not be the only one.”
If the system’s outer defense is breached, additional controls can protect the most sensitive information. These controls can include access restrictions, encryption, intrusion detection systems, and other preventive and detective techniques.
Rai, founder and CEO of IT consulting organization Securely Yours LLC, co-authored a report released this week that identifies 10 top technology risks and explains how internal auditors can help manage those risks. The report, Navigating Technology’s Top 10 Risks, was issued Wednesday by The Institute of Internal Auditors (IIA) Research Foundation and is available for download on the IIA’s website.
Rai suggested that the health of any organization’s security program is only as strong as its weakest link. He said internal audit can use the top 10 risks to identify weak links and work on correcting them. According to Rai, internal audit can help an organization manage technology risks by:
- Addressing the risk of excessive access. Rai said internal auditors need to look beyond compliance exercises with respect to technology and seek ways to mitigate risks associated with access, particularly to sensitive information. Rather than just periodically reviewing access practices to remain in compliance with standards, Rai said internal auditors need to focus on critical systems and monitor who has access to those systems. He said tools are available now that can alert internal audit when users are accessing information that’s supposed to be off-limits to them. “Instead of a passive exercise, it can be an active exercise,” he said.
- Highlighting the risks of emerging technologies. It’s easy for organizations to focus on the benefits of technologies, for example, the internet of things that may reduce car crashes by allowing vehicles to communicate with one another. The risks in this example may be that hackers may be able to take over systems of vehicles in motion and create havoc. “Internal audit’s role is to make sure the organization understands not just the enablers and the positives, but also the risks, and help mitigate those risks,” Rai said.
- Scanning for weaknesses—and preparing a response. Rai recommended that organizations perform vulnerability scans of their networks quarterly and conduct penetration tests of critical systems and sensitive environments at least annually. Internal audit can participate in these tests and monitor simulation exercises to prepare organizations to respond if a breach does occur.
Rai said internal audit at most organizations does not possess the technical expertise to perform in all areas as skillfully as they should. He recommended that they get outside help where it’s necessary, as internal audit’s role evolves along with the technology organizations are using.
“With all the recent news we’re seeing about data breaches and other activities in the media, internal audit has a key role to play,” Rai said. “And that role comes in terms of understanding where the risks are and helping mitigate those risks.”
—Ken Tysiac ( ktysiac@aicpa.org ) is a JofA editorial director.
