Why cybersecurity audits are essential for risk management

Find out what your company could risk by not getting cybersecurity audits.

Security LockElectronic network data security, data protection and electronic technology, financial network security

Image: Getty Images/iStockphoto

TechRepublic contributing writer Lance Whitney reported in December 2020 that security firm McAfee estimated that cybercrime would cost the world $1 trillion last year. When it comes to cybersecurity, it’s difficult to improve anything if what already exists is a mystery.

Steven Wertheim, president of SonMax Consultants, in his CPA Journal article Auditing for Cybersecurity Risk makes a strong case that auditing should be a part of every cybersecurity defense program. Before Wertheim explains how auditing can help, he looks at the issues that could be caused when auditing is not in place.

SEE: Checklist: Security Risk Assessment (TechRepublic Premium) 

Potential cybersecurity risks of not conducting an audit

More about cybersecurity

Inadequate understanding of the risks: Wertheim is concerned those in charge of a company’s cybersecurity are not cognizant of the organization’s level of cybersecurity risk nor know where critical business-related data is stored. And, according to Wertheim, “…if they [auditors] do not know where the critical data reside, how can they effectively measure and report on the client’s risk, especially in the case of small and medium-sized businesses?”

Inadequate monitoring: Wertheim believes there is a fundamental lack of risk analysis and assessment due to a lack of understanding in the following areas:

  • Why cybersecurity tools provide critical support;

  • which areas of the data infrastructure represent the greatest risk to the business; and

  • how to mitigate associated risks.          

Lack of testing: If organizations have an Incident Response Plan (IRP) in place, there is a need to ensure that the program reflects the company’s current business environment, responsibilities, regulatory requirements, and staff. Wertheim suggests, “Too often, companies end up with multiple points of failure within their plans; by not testing their plans on a regular basis, organizations have no way to validate their efficacy or remediate their weaknesses.”

SEE: Incident response policy (TechRepublic Premium)

Lack of third-party support: The concern is that company employees know the business and take logical shortcuts, whereas third-party vendors will provide an unbiased view of the problem. “Assumptions almost never match up with reality, however, exacerbating the impact of the incident,” writes Wertheim. “The third party does not know the business and therefore must follow the documentation and the defined processes.”

Lack of audit involvement: As a proponent of auditing, Wertheim firmly believes the only way to develop a clear picture of the risk is to hire an independent auditing firm. “The human factor underpins so much of the risk that enables cyberattacks and allows them to succeed, and it does so on both sides. Both the breachers and the company insiders whose mistakes enable successful breaches are human,” contends Wertheim.

What to consider with cybersecurity solutions

Living with the threat of cyberattacks is now a normal part of doing business. Wertheim does not downplay the importance of the more-recognized cybersecurity measures, such as the following:

  • A structured incident response program;          

  • assurances that equipment and software are up to date and patching occurs in a timely fashion;          

  • the implementation of an effective and active monitoring system; and

  • an IRP that is audited regularly.

Next, Wertheim focuses on how an independent auditing firm can markedly improve a company’s cybersecurity stance.

Expect to answer this question: The most important question an auditor should ask clients is: Where’s your most critical data? “If management is not able to answer that question simply, that’s a problem,” adds Wertheim.

Ensure adequate resourcing: A properly staffed incident-response team must have stakeholders and representatives from all parts of the business. “In addition, there should never be a single point of failure in any aspect of incident response,” advises Wertheim. “The only way to get organizations to understand the impact of these risks is to provide training.”

Update the understanding of risks: Auditing risk is not a one-time effort–it needs to occur on a regular basis and focus on identifying all risks and then deciding which are the most critical. An example offered by Wertheim is the use of passwords, which should be replaced by multi-factor authentication.

Perform a physical audit: Not all attacks start out using cyber tactics–ensuring that the physical plant is secure, and people are trained to maintain physical security are as important as cybersecurity. 

Obtain proper third-party support: This is important enough for Wertheim to mention twice–first as a fault, and now as an auditing requirement. “Establish a retainer agreement with one or more forensic or incident response consultants,” he explains. “Having an independent, objective view is a critical element in developing a complete picture of the incident. Work with the third-party vendor to conduct an annual security audit.”

SEE: Be proactive: 3 risk management steps to take before a cyberattack (TechRepublic)

Final thoughts

Wertheim feels strongly that auditing has a significant role to play when it comes to securing an organization’s digital assets. If one thinks about it, knowing what’s in place and what’s not security-wise via auditing seems logical. 

Also see