With the roll-out of vaccines in the developed world and the return of growth as economies reopened in 2021, it may be tempting to see the worst of the
pandemic as having passed. However, COVID-19 will continue to have deep and lasting consequences, a new reality that organisations must accept. So says the Chartered Institute of Internal Auditors (IIA) in its 2022 ‘Risk in focus’ report.
Large sections of the workforce are reflecting on their futures, seeking new employment to advance careers stalled by the pandemic or changing course altogether by migrating into different sectors. Many countries are witnessing a resignation crisis, staff shortages and high vacancy rates demonstrating how profoundly the pandemic has exacerbated the talent management risks that existed long before 2020. Workforce and labour market disruptions also have
major implications for (organisations’) culture, the report suggests.
Supply chains are feeling disruption and uncertainty; businesses are contending with ‘critical supply chain issues and inflation risks’, the report says. As in the previous year’s report, cybersecurity and data security tops the list of risks; while ‘climate change and environmental sustainability’ is surging up the agenda. Cyber is also rated by most as the risk that the respondent’s organisation will face three years from now; and as the risk that internal audit spends the most time and effort on. Cyber is rated as likely to become relatively less of a risk; ‘any threat mitigation will come from the fact that businesses are becoming better equipped at managing and minimising the risk of attacks and data breaches’, the report states.
Cyber mature
Among ‘cyber mature’ companies, particularly in the financial services sector, organisations are turning their attention to ‘response and recovery processes and procedures’, and what to do in the event of ransomware. Staff training and awareness is regarded as the most effective way of minimising the likelihood of workers clicking on malicious links and harmful attachments (such as .doc, .dot and .exe files). “However, no amount of training can totally prevent assaults from slipping through the cracks. Businesses that have yet to suffer a major incident need to recognise that it is not a question of if attackers will be successful, but when,” the report says.
Every organisation is at a different point in their information security ‘journey’, therefore internal audit must focus on where they are most needed, the report adds. For the least mature, that means working on the ‘foundations’ of risk assessment and ‘hard’ and ‘soft’ controls, such as regular updating of software, patching (an example of ‘hard’) and a sound cyber culture (‘soft’). For the most mature firms, work on cyber beyond the foundations can be on response and recovery.
On ransomware, the report quotes figures of among recent ransomware victims, a majority, 56pc recovered their data via system backups while about a quarter, 26pc paid the required ransom to have their data returned. The report notes that paying criminals is a form of response and a route to recovery ‘and if this is agreed policy, it must be documented and understood by the IT security function the CISO, the rest of senior management and the board’.
About the report
In 2021 members of 12 Institutes of Internal Auditors in Austria, Belgium, France, Germany, Greece, Italy, Luxembourg, the Netherlands, Spain, Sweden, Switzerland and the UK and Ireland were surveyed, and a sample interviewed.
