Does Your Organization’s Cyber Culture Make You #Wannaaudit?

It didn’t take long for social media to adopt #wannacry for last week’s massive cyberattack, which hit computer networks in nearly 100 countries from the U.S. to the U.K. to China. The ransomware virus, called Wanna Decryptor, encrypted valuable data on compromised networks, then threatened to destroy it unless payments were made.

For those of us who have spent our careers promoting good internal controls and risk management, this latest cyberattack could indeed bring tears of frustration because the attack successfully exploited some of the most basic and easily mitigated cyber risks.

First, the perpetrators relied on simple phishing to introduce the virus through an email attachment, according to cybersecurity experts quoted by multiple news outlets.

The news media also reported that a patch to fix vulnerabilities to the specific malware was distributed by Microsoft Corp. at the end of March. Yet, many of the attack’s targets, including the U.K.’s National Health Service, fell victim because they failed to apply the patch.

It is unfathomable to me that such attacks continue to succeed, yet the global reach of Friday’s attack reflects how vulnerable we remain. It has become vogue to declare that it is no longer a matter of “if” but “when” an organization will be successfully hacked. But that message, designed to urge organizations to focus beyond prevention, may be enabling weak cybersecurity cultures.

The recently released 2017 Data Breach Investigations Report by Verizon offers telling information that confirms just how much work is left to be done. Here’s a sampling of its findings, based on analysis of data breaches in 2016:

• 80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.
• 1 in 14 users were tricked into following a link or opening an attachment.
• 66 percent of malware was installed via malicious email attachments.
• 95 percent of phishing attacks that led to breaches were followed by some sort of software installation.

If those statistics don’t send a chill down your spine, two other key data points should:

• 61 percent of data breach victims were businesses with fewer than 1,000 employees.
• Ransomware has gone from being the 22nd most-common form of malware in 2014 to fifth in 2017.

These statistics raise the alarming specter that organizations don’t appreciate the risks they face or the value of even the most basic prophylactic cybersecurity measures. As internal auditors, we must question whether our organizations’ cybersecurity cultures could unwittingly allow these breaches to happen.

Providing assurance on cybersecurity involves more than just looking at whether the protocols and policies designed to block or discourage cyberattacks are in place and operating effectively. We must consider how the organization’s culture influences how those protections are carried out. For example, organizations may be willing to accept higher-risk behavior in email practices in exchange for higher productivity. Efforts to protect data through encryption may be undone if rules prohibiting or limiting hard-copy versions of the data are not in place or are ignored. We also must be attuned to an organization’s “IT mystique,” which accepts that only IT understands certain aspects of cybersecurity and therefore can’t be questioned.

Part of the solution is for internal auditors to build cooperative relationships with IT, chief risk officers, chief information security officers, human resources, and others who manage cyber risks. This is essential for internal audit to gain a clear understanding of what drives cyber risks and what influences the organization’s cybersecurity culture. It must then share those insights with management and the board.

I’ll leave you with a number of quick takeaways from the Verizon report that offer sound advice all organizations should take to heart:

• Be vigilant. Log files and change-management systems can give you early warning of a breach.
• Make people your first line of defense. Train staff to spot the warning signs.
• Only keep data on a “need-to-know” basis. Only staff members who need access to systems to do their jobs should have it.
• Patch promptly. This could guard against many attacks.
• Encrypt sensitive data. Make your data next to useless if it is stolen.
• Use two-factor authentication. This can limit the damage that can be done with lost or stolen credentials.
• Don’t forget physical security. Not all data theft happens online.

Internal auditors often deal with frustrating failures of risk management and internal controls in our organizations. Cybersecurity breaches are perfect examples of failures in multiple lines of defense. While the temptation in the face of calamitous failures is to #Wannacry, we must instead roll up our sleeves and embrace the challenges as internal audit professionals. We must #Wannaaudit.

As always, I look forward to your comments.