Transit systems. Healthcare facilities. Financial services firms. What do they all have in common? Organizations within these sectors — and essentially all industries, for that matter — have been hit by ransomware, a type of malware where cybercriminals demand a ransom payment to unlock access to your private and confidential systems and files.
While many cybersecurity risks exist, ransomware is often one of the more pressing challenges. Not only can it bring operations to a screeching halt, but it can also cause issues like data leaks and reputational damage. A global survey by cybersecurity software company Sophos finds that 66% of surveyed organizations suffered ransomware attacks in 2021. “It took on average one month to recover from the damage and disruption,” Sophos adds.
Given the severity of ransomware risk, internal auditors should aim to help their organizations reduce these threats, along with overall cybersecurity risks. How? As we’ll examine in this article, internal audit departments can take steps such as conducting IT/cybersecurity audits and using technology like internal audit management software to improve internal controls and collaboration.
Review IT practices and controls
Even though internal auditors generally aren’t responsible for choosing cybersecurity software and establishing employee training to recognize ransomware risks, they can still provide assurance over IT practices and controls, such as with an IT audit.
When IT teams conduct phishing tests to see whether employees are tricked by email scams that can cause ransomware issues, internal auditors are then able to review those results and ensure that the organization is meeting a sufficient standard to prevent social engineering. If the results demonstrate gaps in employee preparedness on ransomware risk or other cybersecurity risks, then internal auditors would likely want to communicate that risk to other stakeholders, like boards and senior management.
Internal audit leaders might also review remote work policies to ensure that IT teams are appropriately managing these with ransomware risk in mind, rather than just focusing on the functionality of work-from-home environments. While internal auditors often rely on guidance from IT leaders, they can still audit areas like access logs to ensure that only approved devices, with the appropriate threat intelligence and data protection technologies, are connecting to their networks.
Align key stakeholders
Improving ransomware protection also means internal auditors need to align key stakeholders, rather than just collaborating with IT. That means pulling together information from multiple departments to make sure everyone’s on the same page.
Internal auditors should check with finance teams to see how they’re accounting for the potential costs of a ransomware attack, and then ensure that other key stakeholders, like boards and senior management, understand and agree with this approach. Otherwise, issues like not having a sufficient budget to recover from a ransomware attack may arise.
“Regardless of their size or revenue, organizations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response, and recovery measures,” notes Zachary Ginsburg, research director for the Gartner Audit and Risk practice, in a Gartner press release.
Leverage internal audit management software
Internal auditors can mitigate ransomware risk by leveraging internal audit management software. Many technologies are designed to assist with cybersecurity risk management, but from an audit perspective, internal audit management software is important for gaining assurance.
TeamMate+ helps automate common audit tasks and improves collaboration, assisting internal audit teams to take more of a continuous approach to auditing, rather than falling behind on ransomware threats by only conducting annual audits. Good internal audit management software also makes it easier to test large data sets and report results, helping to gain stakeholder alignment through digestible presentations.
Overall, internal audit teams have an opportunity to make a significant impact when it comes to ransomware risk management. Planning ahead and focusing on internal alignment can go a long way toward reducing ransomware attacks and other cybersecurity risks.
