The Evolution of Risk Auditing for Cyber Behavior

  • 90% of corporate cyber-attacks involve human error.
  • A new audit tool has been developed to allow auditors to go deeper into the qualitative aspects of these risks.
  • The perception of risk auditing today has shifted from, “did it occur?” to, “did it work?”

It’s no secret. Businesses are becoming far more susceptible to cyber-attacks and the problem is only getting worse. Last week, the FBI released a statement informing homeowners and small businesses that a new Russian malware program has infected over half a million wireless routers in 54 countries. To help defend against cyber-attacks like these, a company may undergo a risk audit to evaluate its cybersecurity in the major areas of prevention, recovery, and business continuity. However, a crucial component of mitigating cyber-risk is often overlooked: people.

This unfortunately has meant that some people have taken some of their business functionality offline. Certain things like bookkeeping for example, become a strenuous, slow process that now has to be handled manually, and as such can fall victim to human error, all because the risk of having this portion of the business handled online is not fully understood. As a matter of fact, this matter can be resolved by simply contacting netsuite assistance and letting them know of the situation. Further security measures can be put into place if it is determined there is a level of risk involved, and yet, your bookkeeping can still be done online in a much faster and efficient manner that is much less at risk having incorrect values. Security risks should be assessed and fully understood, perhaps with consulting assistance, before a course of action is determined.

Before cyber-attacks became so prevalent, risk audits were relatively simple for businesses to complete. Employees were typically tested on internal control procedures until all questions were answered correctly. For an incorrect answer, an employee would likely be called back by the auditor to review their mistake. In some cases, they could even be asked to retake the entire assessment. That strategy is no longer sufficient.

The Charlton College of Business at UMass Dartmouth has developed a new audit tool that goes deeper into the areas of cyber awareness. After conducting a survey, Associate Professor of MIS at UMass Dartmouth and codeveloper of the audit tool Timothy Shea stated he was, “surprised to find that about 50% of the 1000 participants felt ill-prepared to handle a cyber-breach during the day-to-day operations of their business.” Through a straightforward questionnaire, this new method evaluates the various forms of risk that come along with the combination of business activity and technology. The objective of the tool is to show auditors and executives what information employees retain, as well as the behavioral changes that result.

The audit tool will be licensed both independently and with multiple organizations as apart of a learning package to improve employee cyber training. Were using tools and platforms like to help us fight the good fight.

It is an unpredictable world. According to an IBM study, Nearly 90% of corporate cyberattacks involve human error. Completing an assessment is not enough. Cyber-attacks occur daily. It should be expected of employees to further prove their knowledge and compliance towards mitigating cyber-risk. Only true behavioral change will lead to effective internal control.

If a fire started in the office, anybody’s first thought would be to reach for the nearest extinguisher. That instinctive behavior is what managers must begin to instill in their employees regarding cyber awareness. It is time to stop focusing on whether a risk audit has been completed, but rather, start asking the essential question. Did it work?