By: R. Curtis Thompson, CPA.CITP, CISA
An internal auditor and an IT auditor walks into a bar…Sorry, I don’t know the rest of the joke but it has to include something about internal controls and only a few people would actually get it. Such is the life of an auditor…
However last week I attended the GRC 2016 conference in Ft. Lauderdale. This is a co-organized conference with ISACA and The IIA. Internal Auditors, IT Auditors, and Risk Management professionals assembled to discuss the most exciting things in Risk Controls and Governance!
For those of you that could not attend, I would like to share some insights from the Keynote speaker.
The keynote speaker was Theresa Payton, former White House CIO under George W Bush. She discussed some of the risks in IT that I thought were enlightening. As we probably all know, almost 99% of all attacks are started with some type of mal-formed email to gain information to start the attack. But new vectors continue to show up.
One issue that is just starting to gain our attention is ‘The Internet of Things’ (IoT). It seems like they are trying to add internet connectivity to all our appliances. A humorous example of the risks is where a hypothetical employee bragged about his healthy lifestyle and his good eating habits and another hypothetical employee hacked into his refrigerator’s webcam to see all the junk food.
That may be funny but there has been a proof-of-concept hack done with a teapot that is connected so that you can get the tea started via your smartphone. A group of researcher (I am sorry I don’t have the details to give them credit) used this function to gain access to the network since the teapot was connected to the internal WiFi. This makes me wonder where IoT will take our IT Audits in the future…
She also talked about how we need to review what people are actually doing. Take a walk through your organization and see how people are working. Are they conducting business the way you think? Are they using their smartphone or iPad to conduct business? Are they using alternative software to do their job because the software they were given is obsolete? Sometimes we need to follow where the users are leading us and sometimes we need to rein them back in.
IT is sometimes accused of getting in the way of business but maybe there is an opportunity to gain business based on what IT is doing. While security is becoming a bigger part of everyone’s life, can we use it to our advantage? Theresa stated that 80% of people are more likely to work with a company that they think is trying to protect their data. That made me think. The companies that we work with are all doing a pretty good job with security and data protection. I know this because I am doing the audit but do your customers know what you are doing to protect their data? Do they even know how much you care about protecting your data?
Obviously you can’t share all the details of your security but maybe more companies should think about communicating how much they do to protect their customer data and how much they care.
I will be sharing more insights about the things we discussed over the next few months. But for now, it seems to be conference season… Hope to see you at the VBA or NCBA CFO conferences this week!
Throughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.