Cyber security has become a critical concern for organisations across all industries. Internal Auditors can play a pivotal role in safeguarding businesses against cyber threats by enhancing awareness and implementing effective measures. This article aims to provide insights into how internal auditors can bolster cyber security within the organisations they audit while highlighting key risk and governance standards that could be adopted to build resilience to attack.

The Importance of Cyber Security Awareness

In the realm of Internal Audit, where professionals are tasked with assessing risks and evaluating controls, having a thorough understanding of cyber security is indispensable. Cyber threats pose significant risks to financial data, sensitive information, and overall business continuity. Hence, internal auditors must be well-versed in cyber security principles, trends, and best practices to effectively fulfil their roles.

Supporting Businesses in Improving Cyber Security

Internal auditors can actively support businesses in enhancing their cyber security posture by adopting the following strategies and working with trusted cyber security consultancies to carry out a full cyber audit if required. Internal Audit functions that relate to cyber risk analysis could be:

• Risk Assessment and Identification: Evaluate how well management has identified potential cyber threats and vulnerabilities within the organisation’s systems, networks, and processes; and whether the mitigating actions they have implemented to manage and reduce these risks to an acceptable level are working effectively.
• Governance and Policy Frameworks: Evaluate the organisation's governance structures and cyber security policies to ensure alignment with industry standards and regulatory requirements. Look for robust policies governing data protection, access controls, incident response, and compliance with relevant laws such as GDPR or the Data Protection Act or industry-specific regulations.
• Employee Training and Awareness: Advocate for employee training programmes focused on raising awareness about cyber security risks and best practices. Educate staff members on the importance of strong passwords, phishing awareness, secure communication protocols, and data handling procedures to mitigate human errors and prevent security breaches.
• Security Controls and Technologies: Potential to assess or work with a NCSC accredited cyber security consultancy to assess the effectiveness of existing security controls and technologies deployed within the organisation. Evaluate the implementation of firewalls, antivirus software, intrusion detection systems, encryption mechanisms, and multi-factor authentication to prevent unauthorised access and data breaches.
• Incident Response Preparedness: Review the organisation's incident response plan to ensure it provides clear guidelines and procedures for responding to cyber security incidents. Work with an assured NCSC Cyber Incident Exercise (CIE) accredited consultancy to test the plan through simulated exercises or tabletop discussions to identify gaps and enhance preparedness for real-world cyber threats.
• Vendor Risk Management: Test to ensure that management has evaluated the risks associated with third-party vendors and service providers that have access to the organisation’s systems or data. Carry out testing to see whether appropriate contractual agreements are in place, outlining security requirements, data protection measures, and incident response protocols for vendors.

Key Risk and Governance Standards

When assessing cyber security within organisations, internal auditors should look for adherence to industry-recognised risk and governance standards or recommending, when needed, accredited cyber security consultants who would be able to complete a full technical cyber security audit. The following security standards would be relevant to cyber risk management:

• Cyber Essentials: A Government backed scheme with two levels of certification to prevent the most common attacks, and to begin securing your IT.
• IASME Cyber Assurance: A flexible cyber security standard that provides assurance that an organisation has put in place a range of important cyber security, privacy and data protection measures. 
• ISO 27001: The international standard for information security management systems (ISMS), providing a framework for establishing, implementing, maintaining, and continually improving an organisation's information security management system.
• NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology (NIST), this framework offers a risk-based approach to managing and improving cyber security posture, comprising five core functions: Identify, Protect, Detect, Respond, and Recover.
• COBIT (Control Objectives for Information and Related Technologies): A framework developed by ISACA for governance and management of enterprise IT, including guidance on managing cyber security risks, aligning IT with business objectives, and ensuring compliance with regulations.
• PCI DSS (Payment Card Industry Data Security Standard): Applicable to organisations handling payment card transactions, this standard outlines requirements for securing cardholder data, including network security, access controls, and regular vulnerability assessments.
• GDPR (General Data Protection Regulation): Applicable to organisations handling personal data of EU residents, GDPR mandates strict requirements for data protection, including consent mechanisms, data breach notification, and privacy by design principles.

In conclusion, internal auditors have a significant role to play in enhancing cyber security awareness and resilience within organisations. 

By leveraging their expertise in risk assessment, governance frameworks, and regulatory compliance, they can support businesses to make improvements and work hand in hand with accredited cyber security consultancies to mitigate cyber threats and safeguard critical assets. By adhering to key risk and governance standards, and working in collaboration, they can help to ensure that organisations maintain robust cyber security practices in an ever-evolving threat landscape.

For more information contact info@purecyber.com or see PureCyber's website.

Jonathan Stock - Chief Information Risk Officer, PureCyber