The Institute Of Internal Auditors (IIA) report “OnRisk 2022: A Guide to Understanding, Aligning, and Optimizing Risk” exposes emerging risks brought about by the prolonged pandemic and expanding reliance on technology and a remote workforce.

Key highlight in the report is the poignant indication that Cyber Risk continues to be a major and prevalent risk to all organisations.  As the report quotes “Cybersecurity continues to exasperate organisations large and small, public and private, for-profit and non-profit. This ubiquitous and dynamic risk was rated as the most relevant by respondents, along with Talent Management. Yet, on average, organisational capability lagged significantly.”

According to the IIA report, there is a concerning disparity between organisational capability or preparedness to address the risk and its recognition of it as major potential disabler or impediment to business operations.  The adjacent graph highlights the key areas of risk identified in the report and the respective capability disparity.

Organisations should constantly be challenging themselves with questions around cybersecurity posture and conduct honest and objective self-awareness around their cyber choke points.  Are you concerned about cyber risk?  When was the last time you took an objective assessment to gauge your cyber maturity and posture?  Do you need help?  Perhaps start by considering the question presented in the adjacent window.

Read more by clicking the button below.

Examination of Top Risks for 2022

(source: “OnRisk 2022: A Guide to Understanding, Aligning, and Optimizing Risk” report)

Helpful Questions For An Organisation To Ask Itself?

  • Do you have a cybersecurity strategy or roadmap? How far has the organisation progressed in achieving this?

  • Is there an awareness and training programme in place to reduce the risk of social-engineering attacks on staff? Are these regularly updated?

  • Is a cybersecurity incident management plan in place?  Do you validate its efficacy through cyber-incident-response rehearsal exercises?

  • Is there a dependable data backup regime that can effectively support IT continuity efforts in the event of a disruptive breach? How do you know that the backups are reliable?

  • What defences have you factored into your cyber strategy and preparations to minimise exposure to Ransomware attacks? Do you have a policy on whether to pay/not-pay in case you are hit by ransomware?

  • Do insurance policies appropriately cover cybersecurity risks? Do you know when and how to invoke your cyber insurance in case of a cyber incident?  Do you have a cyber insurance engagement playbook when taking steps to respond to an incident?

  • Are you confident you won’t suffer an attack via your vendors or clients? Why are you confident, e.g. i) do third parties provide demonstrable cybersecurity assurances such as ISO-27001 certifications, or ii) provide adequate contractual promises for addressing cyber incidents/risks?

  • Do you conduct any periodic technical security testing to understand your current scope of your cyber vulnerabilities and attack-paths?  Does such testing cover technology interfaces with upstream/downstream business partners and suppliers?

(based on guidance from the European Confederation of Institutes of Internal Auditing [ECIIA])