The digital age we live in introduces us to a world of knowledge and convenience; but in the process, leaves us susceptible to the growing threat of cyber-attacks.
Recently, there have been a number of incidents targeting state and local government sectors including organisations based locally. These threats have been increased due to the dependency many organisations have on technology and the automation it provides.
Internal Auditing can dramatically help to protect you against the vulnerability this brings.
Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their roles.
The following are key areas we consider with our IT specialist when testing IT systems including cyber security risks:
- Governance – what frameworks are in place to deal with the following:
- Threat to integrity – modification or corruption of information
- Threat to reputation – inaccurate information about the organisation
- Threat to intellectual property
- Change management controls
- Support and Maintenance– including:
- Review of users access
- Availability– including:
- Disaster recovery and business continuity planning
- General Security– including:
- Logical security over network, servers, database management systems and communication management systems
- Application security
- Cyber Security- including:
- Understanding the threat – clear understanding of what the organisation’s key information and data assets are and clarity on the biggest vulnerabilities/risk exposures to IT
- Leadership – How is Cyber risk handled in the Board governance process
- Risk Management – including appetite for cyber risk – for existing business and for new digital innovations
- Awareness of help – The Australian Signals Directorate (ASD) suggests that 85% of threats can be mitigated by implementing the ASD top four strategies:
- Application Whitelisting (opposite of black listing) specifying an index of approved software applications that are permitted to be present and active on a computer system;
- Patching (updating) common applications;
- Patching operating systems; and
- Restricting administrator privileges
- Cyber incidents – including a documented response plan. As part of an ongoing project to foster awareness of cyber security, the Crowe Horwath IT department completed a simulated phishing exercise on staff. This testing involved attempts to convince users into divulging their account details via fake websites. This exercise will serve as a baseline by which we will measure the success of future cyber security training initiatives.
The above are areas every organisation should be considering on a periodic basis. Have you got your IT risks covered? For more information on how to can ensure you remain protected talk to an Internal Auditor today.
By Alison Lee
Manager – Senior Client Manager, Audit and Assurance