Many of the same technical risk challenges exist for IT today as they did last year. There are risks in the management of systems and networks, risks in the management of human employees who use these systems and networks, and cyber risks. Among the cyber risks, the most feared are intrusions from malware, ransomware, viruses and phishing.

IT has taken steps to avoid or mitigate many of them, but here’s where the change in IT risk management is: What used to be an internal IT problem is now on board, CEO, customer and stakeholder countries – level of concern.

The price of one average data breakthrough in 2021 was $ 4.24 million. Ransomware costs is expected to reach $ 265 billion by 2031, and the average cost of recovery from a ransomware attack in 2021 was $ 1.85 million.

Costs like these (and the advertising that accompanies them) can destroy the brand and / or seriously damage a company’s reputation. That’s why the company’s stakeholders, board and CEO are focused on IT risk management – and what an organization can do to avoid high costs and unwanted headlines.

“Over the last 12-18 months, leaders in various industries and sectors have witnessed – and increasingly felt first-hand – the frequency, complexity, cost and both economic and operational impacts of ransomware attacks“Kurt Obley, head of practice at Deloitte Risk & Financial Advisory and managing director, said in a press release.

IT audits and corporate commitment

The bottom line is that IT risks are increasing – and companies need to do something about them.

IT leaders have taken many steps to prevent and / or mitigate the risk to IT assets; however, one area where IT has been less active is deciding whether audits for which IT contracts are still the right audits to perform, or if other types of IT audits are now needed, given the rise in cybercrime .

A second element in any IT audit discussion is budgeting. IT audits are expensive. How many audits can IT afford? Will CEOs and CFOs be as aggressive in their actions as they are in their words?

The Deloitte study called into question the C-level commitment . And while 64.8% of executives surveyed say ransomware is a cyber threat that is a major concern for their organization over the next 12 months, only 33.3% say their organizations have simulated ransomware attacks to prepare for a similar incident.

Deloitte’s comments were about staying behind demonstrable readiness by simulating attack scenarios and knowing how well you respond to them. If C-suite executives are not aggressively behind these steps, and they are not, it is no exaggeration to imagine that there will be resistance to large investments in hard dollars in IT audits.

IT audits: which one do you choose?

There are many types of IT audits, but the main audits you need to fund and perform are the following:

1. General IT audit

A general IT audit should be done every year. The value of this audit is that it audits everything in IT. It focuses on the strength of internal IT policies and procedures and on whether IT meets the regulatory requirements to which the company is subject. The IT audit examines backup and recovery, ensuring that DR plans are documented and up to date. The audit tests for cyber vulnerabilities and tries to exploit them. In some cases, IT will ask auditors (for an additional fee) to conduct a random audit of several end-user departments to see how well non-IT IT standards and procedures are being followed. If you are in a highly regulated industry such as finance or healthcare, your auditor will ask to see your latest IT audits.

2. Audit of social engineering

Researchers from Stanford found that 88% of data breaches in 2020 are caused by human error
and a Haystax survey found that 56% of security professionals said inside man [security] the threats were growing. In a social engineering audit, auditors review end-user logs, policies, and procedures. They check for adherence.

Unfortunately, when the budget crisis comes, many IT departments choose to skip the social engineering audit and simply switch to a general IT audit – but as staff negligence, mistakes and sabotage increase, can companies afford to do so ?

Given the large number of consumer violations, it is prudent to audit social engineering annually. For IT departments with limited money, they could choose to perform these audits throughout the year.

3. Edge audit

In 2020, a study by Grand View estimated the peripheral market at $ 4.68 billion, with an additional forecast that the peripheral market will grow by 38% CAGR by 2028.

Manufacturers, retailers, distributors, healthcare, logistics and many other industries are installing IoT (Internet of Things) sensors and devices at the ends of their businesses in user-managed networks.

When users work with networks, there is an increased risk of security breaches and vulnerabilities.

If your company has extensive peripheral installations, it is also important to have an audit of security technologies, journals, peripheral policies and practices.

Concluding remarks on audits

Audits are expensive. IT staff also don’t like to do them because the auditor’s questions take time away from the day-to-day work on the project.

But in today’s world of growing cyber and internal risks, these audits are essential to corporate well-being and what the company will show its industry experts and business insurers.

By financing and conducting audits that are most important to the well-being of your business, you can stay in the game.

What to read next:

9 ways CIOs can use creative IT audits

7 security practices to protect against attacks, Ransomware

Managing cyber risks in today’s threat environment

https://www.informationweek.com/security-and-risk-strategy/how-corporate-risk-management-is-changing

Previous articleNo kidding: Google’s AI is smart enough to understand your humor
Next articleUse GoodRx to find cheap pills