How enterprise risk management is evolving


Many of the same technical risk challenges exist for IT today as they did last year. There are risks in managing systems and networks, risks in managing the human employees who use those systems and networks, and cyber risks. Of the cyber risks, the most concerning are intrusions from malware, ransomware, viruses, and phishing.

IT has taken steps to avoid or mitigate many of them, but here’s where the change in IT risk management lies: what was once an internal IT issue is now a board-level issue. administration, CEO, client and stakeholders. level of concern.

The cost of one average data breach in 2021 was $4.24 million. Ransomware Costs are expected to reach $265 billion by 2031, and the average cost of recovery after a ransomware attack in 2021 was $1.85 million.

Such costs (and the publicity that accompanies them) can break a brand and/or seriously damage a company’s reputation. This is exactly why business stakeholders, the board, and the CEO have their eyes on IT risk management — and what an organization can do to avoid high costs and headlines. unwanted.

“Over the past 12 to 18 months, leaders across industries and sectors have witnessed – and increasingly experienced firsthand – the frequency, sophistication, cost and both economic and operational impacts of ransomware attackssaid Curt Aubley, head and managing director of Deloitte Risk & Financial Advisory, in a press release.

IT audits and business engagement

Ultimately, IT risks are on the rise and businesses need to do something about them.

IT managers have taken many steps to prevent and/or mitigate risks to IT assets; however, one area where IT has been less active is deciding whether audits for which IT contracts are still the right audits to perform, or whether other types of IT audits are now required, given the increase in cybercrime.

A second element in any IT audit discussion is budgeting. IT audits are expensive. How many audits can IT afford? Will CEOs and CFOs be as aggressive in their actions as they are in their words?

The Deloitte survey questioned C-level engagement. The survey found that “the vast majority (86.7%) of senior and other executives say they expect the number of cyberattacks targeting their organizations to increase over the of the next 12 months. And while 64.8% of executives surveyed say ransomware is a cyber threat of major concern to their organization over the next 12 months, only 33.3% say their organizations have simulated ransomware attacks to prepare for. such an incident.

Deloitte’s comments focused on the need to achieve demonstrable readiness by simulating attack scenarios and knowing how well you are responding to them. If C-suite executives aren’t aggressive behind these steps, and they aren’t, it’s not a stretch to imagine that there would also be resistance to major hard-dollar investments in IT audits.

IT audits: which one to choose?

There are many types of IT audits, but the basic audits you should fund and perform are:

1. General IT audit

A general IT audit must be carried out every year. The value of this audit is that it audits everything in IT. It focuses on the soundness of internal IT policies and procedures and the compliance of IT with regulatory requirements to which the business is subject. An IT audit reviews backup and recovery, ensuring disaster recovery plans are documented and up to date. The audit tests for cyber vulnerabilities and attempts to exploit them. In some cases, the IT department will have auditors (at an additional cost) perform a random audit of multiple end-user departments to see how well IT security standards and procedures are being adhered to outside of the IT department. If you work in a highly regulated industry like finance or healthcare, your examiner will demand to see your latest IT audits.

2. Social engineering audit

Stanford researchers found that 88% of data breaches in 2020 were caused by human error
and a Haystax survey found that 56% of security professionals said initiated [security] the threats are growing. In a social engineering audit, auditors review end-user logs, policies, and procedures. They check the adhesion.

Unfortunately, when it comes time for the budget crunch, many IT departments choose to skip the social engineering audit and settle for a general IT audit – but with employee negligence, errors, and sabotage at the ready. increase, can companies afford to do so?

Given the high number of user violations, it is prudent to perform a social engineering audit annually. For cash-strapped IT departments, they might choose to perform these audits every two years.

3. Peripheral Audit

In 2020, Grand View research estimated the edge computing market at $4.68 billion, with an additional projection that the edge market would grow at a CAGR of 38% through 2028.

Manufacturers, retailers, distributors, healthcare, logistics, and many other industries are all installing IoT (Internet of Things) sensors and devices at the edge of their businesses on user-managed networks.

When users operate networks, there is an increased risk of security breaches and vulnerabilities.

If your company has extensive state-of-the-art IT facilities, it is important to also have an audit of security technologies, logs, policies, and practices at the edge.

Final remarks on audits

Audits are expensive. IT staff don’t like to do them either, because questions from auditors take time away from the day-to-day work of the project.

But in today’s world of growing cyber risk and insider risk, these audits are essential for the well-being of the business and for what the company will show its industry reviewers and commercial insurers.

By funding and performing the audits most crucial to the well-being of your business, you can stay ahead of the game.

What to read next:

9 Ways CIOs Can Creatively Use IT Audits

7 security practices to protect against attacks and ransomware

Managing Cyber ​​Risk in Today’s Threat Environment


About Author

Comments are closed.