Evolving cybersecurity challenges are demanding more attention from audit committees as part of their expanding risk-management responsibilities. Digital transitions across all industries have triggered subtle changes to threats, requiring audit committees to refine their cybersecurity plans and considerations accordingly.
Ransomware and third-party breaches, in particular, emerged at the end of the 2010s as the most significant forms of cyberattacks. They are not necessarily novel threats, but cybercriminals have tailored their tactics to new vulnerabilities, such as the growing use of cloud technology to store data.
More specifically, ransomware is a malicious software program that infiltrates an organization through a variety of means, most commonly email phishing. The software encrypts files, drives and devices connected to the network. Then the hacker demands a ransom to unlock the files. A third-party breach describes an incident in which a company’s data is accessed and compromised through an external business partner, such as an email or cloud service provider.
“The strains on businesses are becoming much worse,” said Matt Franko, director of security, privacy and risk consulting at RSM. “The malicious software is smarter. It’s starting to be more advanced than the tools available to defend systems. And they’re encrypting backup drives, so if a system goes down and you cannot bring those backups into place, that’s where you see organizations having to shut their doors and figure out what their rebound strategy is going to be—either pay the ransom or rebuild the system.”
Although these types of attacks can result in significant financial, operational and reputational losses, a well-organized, prepared audit committee can help your board position the company to handle cybersecurity risks. Consider these five components to a sound strategy: