Many of the same technical risk challenges exist today for IT as they did last year. There are risks in managing systems and networks, risks in managing the human employees who use these systems and networks, and cyber risks. Among cyber risks, the most concerns are intrusions from malware, ransomware, viruses, and phishing.
IT has taken steps to avoid or mitigate many of these, but here is where the change in IT risk management is: What used to be an internal IT issue is now a board-level, CEO-level, customer-level, and stakeholder-level concern.
The cost of an average data breach in 2021 was $4.24 million. Ransomware costs are expected to top $265 billion by 2031, and the average cost of recovering from a ransomware attack in 2021 was $1.85 million.
Costs like these (and the publicity that accompanies them) can break a brand and/or severely damage a company's reputation. It is exactly why company stakeholders, the board, and the CEO have their eyes trained on IT risk management -- and what an organization can do to avoid steep costs and unwelcome headlines.
“Over the past 12-18 months, executives across industries and sectors have witnessed -- and increasingly experienced first-hand -- the jaw dropping frequency, sophistication, cost, and both economic and operational impacts of ransomware attacks,” said Curt Aubley, Deloitte Risk & Financial Advisory practice leader and managing director, in a press release.
IT Audits and Corporate Commitment
The bottom line is that IT risks are multiplying -- and companies need to do something about them.
IT leaders have taken many steps to prevent and/or mitigate risk to IT assets; however, one area where IT has been less active is in deciding whether the audits IT contracts for are still the right audits to perform, or if other types of IT audits are now needed, given the rise in cybercrime.
A second element in any IT audit discussion is budgeting. IT audits are expensive. How many audits can IT afford? Will CEOs and CFOs be as aggressive with their actions as they are with their words?
The Deloitte survey questioned C-level commitment. The survey revealed that “the vast majority (86.7%) of C-suite and other executives say they expect the number of cyber-attacks targeting their organizations to increase over the next 12 months. And while 64.8% of polled executives say that ransomware is a cyber threat posing major concern to their organization over the next 12 months, only 33.3% say that their organizations have simulated ransomware attacks to prepare for such an incident.”
Deloitte’s comments were about getting behind provable readiness by simulating attack scenarios and knowing how well you respond to them. If C-suite executives aren’t aggressively behind these steps, and they’re not, it isn't far-fetched to imagine that there would also be resistance to major hard dollar investments in IT audits.
IT Audits: Which Do You Choose?
There are many types of IT audits, but the core audits you should fund and perform are the following:
1. General IT audit
A general IT audit should be done each year. The value of this audit is that it audits everything in IT. It focuses on the strength of internal IT policies and procedures, and on whether IT is meeting the regulatory requirements that the company is subject to. An IT audit looks at backup and recovery, ensuring that DR plans are documented and up to date. The audit tests for cyber vulnerabilities and attempts to exploit them. In some cases, IT will request auditors (at additional cost) to random-audit several end-user departments to see how well IT security standards and procedures are being adhered to outside of IT. If you are in a highly regulated industry like finance or healthcare, your examiner will demand to see your latest IT audits.
2. Social engineering audit
Stanford researchers found that 88% of data breaches in 2020 were brought on by human error and a Haystax survey revealed that 56% of security professionals said insider [security] threats were on the rise. In a social engineering audit, auditors review end-user activity logs, policies, and procedures. They check for adherence.
Unfortunately, when budget crunch time comes, many IT departments opt to skip the social engineering audit and just go with a general IT audit -- but with employee negligence, mistakes, and sabotage on the rise, can companies afford to do this?
Given the high number of users violations, it is prudent to perform a social engineering audit annually. For cash-strapped IT departments, they could opt to perform these audits every other year.
3. Edge audit
In 2020, Grand View research estimated the edge computing market at $4.68 billion, with an additional projection that the edge market would grow at a 38% CAGR through 2028.
Manufacturers, retailers, distributors, healthcare, logistics, and many other industries are all installing IoT (Internet of Things) sensors and devices at the edges of their enterprises on user-run networks.
When users operate networks, there is heightened risk of security breaches and vulnerabilities.
If your company has extensive edge-computing installations, it’s important to also have an audit of security technologies, logs, policies, and practices at the edge.
Final Remarks About Audits
Audits are expensive. IT personnel also don't like doing them, because auditor questions take time away from daily project work.
But in today’s world of growing cyber and internal risks, these audits are essential for corporate wellbeing, and for what the company is going to show its industry examiners and business insurers.
By funding and performing the audits that are most crucial to your enterprise’s wellbeing, you can stay ahead of the game.
What to Read Next:
9 Ways CIOs Can Creatively Use IT Audits
7 Security Practices to Protect Against Attacks, Ransomware