Contact Us : 800.874.5346 | International: +1 352.375.0772
Contact Us : 800.874.5346 | International: +1 352.375.0772

IT Security – Introduction

Auditor Testing IT Security

Understanding IT Security as an Internal Auditor

Informing management about threats to an organization’s well being is one of the primary purposes of the internal audit function. In recent years, one of the biggest areas of growth this role has seen is in cybersecurity.

In this new series on cybersecurity, we’ll introduce you to the fundamentals of cybersecurity so you’re prepared to answer questions about it in context of your role as an internal auditor.

NOTE: For those already studying for the CIA exam, consider this a bit of a refresher with some extra credit thrown in. The CIA exam tests on a variety of IT Security topics that will be covered in this series, but some of these articles will go a bit beyond what you’re likely to see on the CIA exam.

In this article, our first on the subject, we’ll discuss the basics of cybersecurity, the role the internal audit function has in IT security, and the common types of threats an organization’s cybersecurity faces.

What is cybersecurity?

Cybersecurity is a broad, catch-all term that refers to the protection of an individual or organization’s data, tools, and ability to conduct business digitally. Basically, this means that cybersecurity is responsible for keeping your computers, networks, and online services safe from malicious actors.

In order to keep your computer systems secure, cybersecurity professionals make use of protective software (such as firewalls), corrective software (such as digital backups), end-user training, and physical and digital controls.

What role does the internal audit have in maintaining cybersecurity?

In the Three Lines of Defense model, with regard to cybersecurity, the internal audit function is responsible for the third line of defense.

  • 1st line of defense – Business units and the IT function add cybersecurity into the day-to-day operations of an organization.
  • 2nd line of defense – IT leaders establish management and oversight, monitor operations, and take action as needed.
  • 3rd line of defense – Internal auditors conduct independent review of security measures and performance, identify opportunities for improvement, and inform management of the results of their review.

In other words, internal auditors check and test an organization’s cybersecurity and try to look for ways it can improved. Once they’ve completed their tests, they inform management, the audit committee, and the board about their findings.

In order to adequately perform in their role of reviewing IT security measures, internal auditors need to be well-versed in the fundamentals of cybersecurity. This is one of the reasons why certified internal auditors need to take continuing education in order to maintain their certification.

What organizations need to worry about cybersecurity?

All of them. All modern organizations will need to consider cybersecurity and how it affects their daily administration.

Each year, the amount of cybercrime committed increases. In their 9th annual cybercrime report, Accenture estimates that $5.2 trillion worth of assets are at risk of cybercrime over the next 5 years.

To understand why your organization needs to be protected from cybercrime, it is important to understand what sets cybercrime apart from traditional crime.

Traditional crime is primarily limited by three factors – things so fundamental we rarely even stop to consider them. For one, to commit a traditional crime, a criminal must be physically present (or at least have been physical present at some point in the past). Secondly, traditional criminals must target a specific organization or location. Finally, traditional criminals don’t have much room for trial-and-error; if a traditional criminal gets caught, they are unlikely to be able to try again.

Cybercrime is not limited by these factors. Criminals using the internet can attack any organization regardless of location. They can attack thousands of organizations simultaneously and are able to continuously adapt their techniques because many failures go unnoticed.

Finally, while cybercrime was once limited to the technologically savvy, the means to conduct an attack are commonplace nowadays. Accessing the tools needed to conduct an attack doesn’t require advanced technical literacy. Most cybercrime tools are basically point and click.

What threats does cybersecurity protect against?

Threats to IT security can come in many different forms, and they try to accomplish different objectives. In general, these threats are divided into categories based on the techniques used to prevent them. Even within a single category, there are sometimes multiple threats with unique methods and objectives.

NOTE: Because this field has developed so quickly and as a response to malicious activity, many terms within this field have disputed definitions. While the threats are well understood, how exactly each is classified varies within the profession.

  • Malware – Malware is generally defined as all malicious software. This includes software such as virus, worms, ransomware, etc. Basically, malware is any software designed to damage a computer, network, server, or other computing device.

  • Data breaches/eavesdropping – Data breaches refers to any incident that results in sensitive information being released to non-intended parties. One common method is known as packet-sniffing (collecting sensitive information while it is being transmitted from one secure location to another).

  • Insider threats – Insider threats refer to threats that originate from inside of an organization. These are especially dangerous since they can avoid several layers of defense by occurring onsite or from within an otherwise secure network.

  • Denial-of-services attacks – Denial-of-service (DOS) attacks are a method of overwhelming a server or website with false access attempts. The goal of which is to block all legitimate access attempts.

  • Direct-access attacks – Direct-access attacks are threats that occur onsite (either of the organization or of a third-party location such as a third-party server or hot/warm site). Once a user has access, they could download data, modify software, or add malware. They differ from insider threats in that they do not have immediate access to password-protected user privileges.

  • Social engineering – Social engineering is a unique threat in that it doesn’t rely on the vulnerabilities of computer systems, but rather on manipulating users into taking actions that compromise an organization’s cybersecurity.

Control is the key to reducing cybercrime

Between effective internal controls, informed auditors, and expert IT security professionals, the tools for reducing cybercrime are within our grasp.

Become part of the solution by using your cybersecurity expertise to protect modern organizations. Certified internal auditors serve a vital role in IT security and are the experts when it comes to all internal audit functions. Learn more about about how the CIA certification can give you the expertise you need to excel in your career.

Already a certified internal auditor? Be sure to check out our next article on cybersecurity or learn even more by exploring our robust continuing education library.

Also, reach out to us on Facebook or Twitter or by email. We want to hear your opinion on the future roles internal auditors will have with respect to IT security.