The top technology risks according to audit and risk leaders
IT audit and risk leaders globally identified cybersecurity, privacy and compliance as their top technology risks going into 2021 – according to a new study by Protiviti and ISACA.
The researchers surveyed over 7,400 professionals in IT audit and risk top jobs, seeking perspectives on what risk managers are expecting this year. The focus was on technology risks, and the responses clearly reflect the core workplace transformations that took place during the pandemic.
The number one concern this year is a cyber breach. Sophisticated cyber criminals already had businesses on high alert before last year. With lockdowns and virtual working arrangements, business IT infrastructure was suddenly spread across a host of unreliable and unsecure private networks – operated by people with inadequate cyber literacy.
This was a field day for hackers. An Interpol report from August last year revealed that phishing, ransomware, data harvesting malware, and malicious domains all catapulted in 2020 – in some cases by more than 500%. Yet, remote working has delivered myriad business benefits, and many are going into 2021 embracing it as a long-term fixture.
For IT audit professionals, this spells bigger risk. Following closely in the top risks are privacy issues. Taking business to private home networks was already putting personal privacy at risk, topped off with self-reporting, testing, and tracing apps that have formed the bedrock of pandemic response efforts.
Track and tracing practices require people to disclose private health data regularly, while also using location technology to monitor individual movements. Although useful in emergency containment efforts, these measures have thrown up ethical dilemmas that are likely to persist for years to come.
Next on the Protiviti and ISACA risk list is regulatory compliance. Cyber threats aside, the pandemic also caused a dramatic spike in fraud incidence globally. This is in addition to the inadvertent breaches that might occur due to remote interactions and a lack of oversight. The burden of controlling these moving parts falls on risk leaders.
Other matters on their agenda include user access, incident management, disaster recovery, data governance, third-party risk, remote workplace infrastructure, and availability risks – all of which are stark reflections of pandemic-induced realities.
A clear red line through all these risks is technology. As a result, businesses with a better command over technology – described in the report as "digital leaders" – stand a better chance of managing these threats. Risk management practices adopted by digital leaders already portray that extra edge.
Nearly 70% of digital leaders have now merged technology audits with overall internal audits – a nod to the growing integration of tech in various business functions. Less than 60% of other businesses have done the same, while the rest tend to separate technology risk management from other audits.
Another best practice is the frequency of audits. With the pace of today’s business environment, no longer is it enough to do a periodic review of risks. Audits need to be conducted continually – a practice adopted by nearly half of all digital leaders. The majority of other organizations only do an annual technology risk audit.
“Amid an organization’s digital transformation journey, continuous risk assessments and more risk-responsive and risk-aligned audits are essential to delivering feedback and value early and often to stakeholders and the business,” noted the report.
“This is particularly important as the business environment continues to experience rapid change due to the Covid-19 global pandemic, digital transformation and other disruptive forces. A dynamic risk assessment approach enables IT audit groups to be increasingly precise in assessing and adapting to emerging risks. ”
The good news is that many businesses appear to have taken note. Per the research, the frequency of technology audits is rising. While continual reviews are still further down the line, many businesses are now considering at least a quarterly tech audit – both among digital leaders and other organizations.