Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorNewsBreadcrumb SeparatorPress ReleasesBreadcrumb SeparatorSurvey: Prevention Dominates Cybersecurity Efforts

Survey: Prevention Dominates Cybersecurity Efforts

Little focus on business continuity and reputational risk in response planning

ALTAMONTE SPRINGS, Fla. (Feb. 15, 2016) — Business continuity and reputational risk take a back seat to keeping hackers at bay when it comes to cybersecurity planning, according to a new survey of North American businesses.

Despite growing acceptance that cyberattacks are all but inevitable, the vast majority of organizations polled (89 percent) continue to see prevention and education as they best way to address the threat, with limited focus on what to do once an attack is detected or how to protect the organization’s reputation from the fallout.

Indeed, a scant 3 percent of respondents listed reaction and restoration as the most effective methods of addressing cyberattacks, according to the 2016 North American Pulse of Internal Audit. The survey, produced by The Institute of Internal Auditors (IIA) Audit Executive Center (AEC), was released today and is available for download here.

The 2016 North American Pulse report raises questions about how internal audit practitioners are coping with new demands in four key area, including cybersecurity, and urges them to step out of their comfort zones.

“In the face of a cyberattack, addressing business continuity and reputational risk are paramount, yet few organizations are taking time to think beyond prevention,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA “The IIA has been promoting cyber resiliency — the concept of addressing the full spectrum of prevention, detection, reaction, and restoration — for some time, so these findings are particularly alarming.”

The AEC survey’s findings jibe with a recent EisnerAmper survey of board members, which found fewer than four in 10 organizations have a plan in place to deal with reputational crisis. That report warned, “. . . public companies should be aware of the connection between a cybersecurity breach, an organization’s reputation and the ever-expanding role of social media.”

The Pulse survey also found that even when organizations have business continuity plans in place, only one in four provide clear and specific procedures for responding to a data breach or other type of cyberattack. What’s more, 17 percent reported that their plans provide no data breach or cyberattack procedures at all.

Of additional concern are findings that internal audit functions are not where they should be to best address cyberattacks. The survey found clear gaps between the ideal level and the currentlevel of internal audit’s effort in four key cybersecurity areas, as rated by survey respondents.

When asked to indicate the current level of internal audit’s effort to communicate cybersecurity risks to the board and executive management, 40 percent said the audit department provides significant or extremely significant effort. Yet when asked what level of effort internal audit departments should have, 69 percent of respondents said the effort should be significant or
extremely significant — a 29 percent gap.

The gap was 22 percent for ensuring communication and coordination among all parties regarding cybersecurity risk. The gap was 25 percent for working collaboratively with IT and other departments to build effective defenses and responses.

The most alarming gap involves providing assurance over readiness and response to cyberthreats, which ballooned to 37 percent.
Cybersecurity will be a major theme at the upcoming IIA General Audit Management (GAM) conference, March 7-9, in Dallas. Theresa Grafenstine, U.S. House of Representatives inspector general, will speak on the Chief Audit Executive’s (CAE) role in the war on cyber. Kelly Barrett, The Home Depot vice president of audit and corporate compliance, will speak on navigating a cybersecurity crisis.

Since its inception in 2012, the North American Pulse of Internal Audit report has surveyed CAEs, directors and senior managers annually and has become the go-to source for key trending data on the profession. It is produced by the AEC, a specialty center of The IIA created to provide members the tools and resources they need to help satisfy the growing expectations of

In 2016, the AEC plans to produce a series of exclusive Pulse Solution Reports for its members that will explore answers and options for addressing each of the four areas scrutinized in this year’s Pulse report.