Last summer, internal auditors for the city of Atlanta warned officials that their IT systems could be easily compromised if they weren’t fixed immediately. The audit report minced no words, calling out the lack of resources (tools and people) available to address the “thousands of vulnerabilities” and characterizing the situation as a “significant level of preventable risk exposure,” according to media reports.
The city apparently began to implement certain security measures, but it was a classic case of too little, too late. A ransomware attack — essentially digital extortion — crippled the city’s computer network and took many departments nearly into the dark ages of pen and paper. The breach even shut down Wi-Fi service at Atlanta International Airport. Fortunately, critical services such as those supporting emergency responders (and flights at the nation’s busiest airport) were not affected.
It was a textbook example of a ransomware attack. After years of such breaches around the globe, the city’s response to internal auditors’ dire warnings should have been textbook, as well. It clearly was not.
What happened? Why did Atlanta, even with ample warning, fail to implement recommended controls to harden its systems?
While the reasons are undoubtedly numerous and complex, everything points to an override of the three-lines-of-defense risk management model. The model requires management, the first line of defense, to own and manage risks by maintaining and executing effective internal controls — including corrective actions that internal audit identifies to address process and control deficiencies.
The second line encompasses risk and compliance functions. These vary according to industry, affecting the nature of their exact responsibilities. In general, however, they support the first line by helping build or monitor the first line’s controls.
The third line, as we know, is internal audit, which provides the governing body and senior management with comprehensive assurance on the effectiveness of governance, risk management, and internal controls, including recommendations for addressing vulnerabilities. It is an effective model, but only when all three lines play their part, and management listens to the third line.
In Atlanta’s case, management failed in its responsibility to promptly address the recommendations made by internal audit, rendering the model ineffective. Granted, internal audit may sometimes contribute to the difficulty of management’s role by failing to communicate the value or importance of a recommendation, prioritize reports according to the most critical risks, or gain management’s buy-in early in the process.
But that’s why we in the internal audit profession must do what is necessary to make it easy — nearly unavoidable — for management to understand the magnitude of such risks, acknowledge our recommendations, and set them in motion.
An organization’s ability to act on what it knows becomes even more important as the frequency and impact of cyberattacks continue to rise. Just last week, we learned that a data breach of Under Armour’s MyFitnessPal app compromised potentially 150 million accounts. Phishing emails are widely recognized as a common delivery vehicle for viruses, yet some companies fail to educate employees on what to look for and how to respond to a suspicious message.
Many companies know that hackers incessantly find and exploit software vulnerabilities, for which the software’s developers issue patches as soon as each new “crack” is discovered. Still, patches often go unapplied. Passwords, too, are known to be an open door to data breaches (according to Verizon’s 2017 Data Breach Investigations Report, 80 percent of hacking-related breaches leveraged stolen, weak, or guessable passwords), yet some organizations fail to establish a policy requiring strong passwords, changed frequently.
It is easy to assume that hacking is something that happens to someone else (“We are too small to attract the attention of hackers.” “We don’t have any information worth stealing.”), but that is classic “head in the sand” thinking. Virtually any organizations that has data is at risk, which means every organization is at risk, short of one on a small, isolated island that has found a way to stay off the grid.
Less than a year ago, following an even bigger cyberattack that hit computer networks worldwide, I penned a blog post titled “Does Your Organization’s Cyber Culture Make You #Wannaaudit?” I wrote: “It is unfathomable to me that such attacks continue to succeed.” These days, the prospect of a cyberattack should be continuously on our radar and internal audit’s recommendations when vulnerabilities are found should be heard and given immediate attention.
As Atlanta’s employees labor to rectify a bad situation, the least we can do is take some lessons from their experience:
Organizations face enough risks for which they have no warning or defense mechanisms. Cybercrime need not be one of them.
As always, I look forward to your comments.