Internal audit and cybersecurity in the wake of the coronavirus pandemic
02 June 2020
Cybersecurity has been identified as a key risk for 2020 that auditors need to help organisations address. Internal audit and cybersecurity is particularly prevalent in the current situation as organisations adjust to both the unprecedented effects of the coronavirus pandemic and having their entire workforce working from home. Cybercriminals are looking for ways to exploit the uncertainty and worry many people are experiencing and auditors need to be looking at how they can support businesses to mitigate this key risk.
Cybersecurity in 2020
78% of audit executives across Europe have identified cybersecurity as a high risk and priority area of concern. As technology and digital solutions evolve, cybercrime becomes more sophisticated. Methods like spear-phishing are used to target individuals to gain access to business and customer data. As an employee, you’re not being targeted for who you are, but for who your customers are, and business email compromise is the most effective way of gaining access to this type of confidential information.
Cybercriminals might use social media to gather information on the people they plan to target. For example, they can easily find out the names and job roles associated with a company on LinkedIn, allowing them to gather key targets. Other sites like Facebook are often used to get a picture of who these people are, the tone of voice they use, and potential key information that could indicate possible password information. Once they have this intelligence, they can carefully craft an email to make it look like it’s coming from inside your organisation, even from a close colleague. An email like this is less likely to immediately look suspicious which is why it’s so effective.
The challenge remote working brings to cybersecurity
Remote working has enabled many businesses to keep going during the lockdown period. The downside to this, however, is that it leaves organisations more vulnerable to cybercrime. With most employees working from home, the attack surface increases. Some people might be using personal devices or networks that are less secure.
Policy experts at the World Economic Forum (WEF) have identified three areas of concern that pose a cybersecurity risk as a result of the COVID-19 situation:
- Increased dependence on digital infrastructure
- Use of social engineering to take advantage of individuals’ fear and worries
- Significant increase in the amount of time spent online 
Organisations need to be prioritising these risks to ensure the security of their systems and data. It’s often said that people are an organisation’s biggest asset, but also their biggest risk which means employees need to be trained in how to maintain good cybersecurity practices on an individual basis.
The responsibility of businesses and collaborating
When you think of cybersecurity it’s tempting to see this as the technology and security team’s responsibility. However, these teams are not necessarily knowledge experts in the key business objectives, focuses and risks. Auditors can help to facilitate the communication of key issues and concerns with technology teams to ensure they can mitigate these risks and identify training opportunities for employees in cybersecurity and best practices, such as creating secure passwords and maintaining computer and software updates.
Providing basic cybersecurity training across the organisation educates employees and helps them to recognise cybercrime, in turn ensuring they don’t succumb to a phishing email and expose confidential data. This means everyone has a responsibility in being vigilant towards cybercrime. If something doesn’t look right, report it to your security team or the relevant person.
IIA Chicago conference
We were due to attend the IIA Chicago Chapter’s annual event for auditors this year. However, this was cancelled due to the coronavirus outbreak. We have moved our event stand online to give audit professionals the opportunity to connect with us. You can watch Craig Watson’s agile auditing presentation and listen to Stephanie Jones’s Ideagen Insights podcast that discusses the key issues faced by auditors in 2020, which includes internal audit and cybersecurity.
Join us at our internal audit conference stand today.