Cybersecurity Due to the increasing dependence of digitaltechnologies to conduct operations, cybersecurity became important due to cyberrisk or incidents.
Cyber risk a company may face includes remediation cost forstolen assets or information as well as the repair cost of system damage thatmay have been caused, an increase it budget on cybersecurity, lost revenue fromunauthorized use of proprietary information, litigation and most importantlyreputation damage that deters customers or investors. Since 2011, the Security and ExchangeCommission (SEC) has established the CF Disclosure Guidance: Topic no.2 to makecompanies disclose their obligations relating to cybersecurity risk and cyberincidents, the third line of defense from cyber attacks have fallen to thehands of internal audits. As an internal audit, several responsibility that isgiven includes working with management and board of directors to develop cybersecurity strategy, improving the company’s resistance to potential risk bothfrom internal and external attacks, keeping a current understanding ofpotential cyber risk and make sure everyone is highly engaged due to theeverchanging nature of cyber risk, make sure the number of personnel working oncybersecurity is sufficient and evaluate the cyber security program with theNIST Cybersecurity framework, ISO 27001 and 27002 and disclosing event of cyberincidents at a timely manner.
However, due to the aforementionedeverchanging nature of technology and cyber risk, it is hard to stay in thearms race. In June of 2017, a global ransomware attack happened and due tobeing a new type of malware, due to its difference with other malwares, even ifKapersky announced the finding of its prototype in 2016, it remained undetectedwhen the malware enters the system. Conclusion I think the responsibility on cybersecurityput on internal audit is quite a difficult task to handle due to theeverchanging and growing ways of compromising a cybersecurity system. Attackscould come at anytime from anywhere, and the hole in the security system cannotbe easily noticed unless an attempted breach is performed successfully.
Due tothe nature of cybersecurity, I suggest that additional tool to be used to aidauditors in their endeavour. Recommendations I think using AI through the process ofmachine learning, it can help identify the security risk. In an interview withForbes, Simon Crosby CTO of Bromium said the AI is not going to be perfect,since they function with pattern recognition and not necessarily able todifferentiate different kind of approaches, but it can help to reduce theburden placed on internal auditors on cybersecurity, since they learn fromprevious attacks and identify the holes in the cybersecurity. The fact that anAI can function 24 hours a day makes it so even when the absence ofcybersecurity personnel, an amount of protection is still given to the data andinformation.