Use a layered cyber-security approach to protect crown jewels

When discussing cyber-security, Sajay Rai, CPA, likes to compare an organisation’s network and systems to a castle.

The moat surrounding the castle is analogous to the network’s outer defences. But additional defences exist, too – a gate, sentries, and locks. And the crown jewels, locked away in a safe place, are protected more than anything else in the castle.

Rai said the additional layers of defence also should exist in an organisation’s systems, with the most sensitive information protected by the most layers. According to Rai, organisations that for many years invested security resources primarily into their outer network perimeter now have learned that it’s important to beef up other layers of defence, too.

“Just protecting the outer gate of the castle, so to speak, is not enough,” Rai said. “You need a layered defence. Although a network perimeter is definitely that first layer of defence, it should not be the only one.”

If the system’s outer defence is breached, additional controls can protect the most sensitive information. These controls can include access restrictions, encryption, intrusion detection systems, and other preventive and detective techniques.

Rai, founder and CEO of IT consulting organisation Securely Yours LLC, co-authored a report released this week that identifies 10 top technology risks and explains how internal auditors can help manage those risks. The report, Navigating Technology’s Top 10 Risks, was issued Wednesday by The Institute of Internal Auditors (IIA) Research Foundation and is available for download on the IIA’s website.

Rai suggested that the health of any organisation’s security programme is only as strong as its weakest link. He said internal audit can use the top 10 risks to identify weak links and work on correcting them. According to Rai, internal audit can help an organisation manage technology risks by:

  • Addressing the risk of excessive access. Rai said internal auditors need to look beyond compliance exercises with respect to technology and seek ways to mitigate risks associated with access, particularly to sensitive information. Rather than just periodically reviewing access practices to remain in compliance with standards, Rai said internal auditors need to focus on critical systems and monitor who has access to those systems. He said tools are available now that can alert internal audit when users are accessing information that’s supposed to be off-limits to them. “Instead of a passive exercise, it can be an active exercise,” he said.
  • Highlighting the risks of emerging technologies. It’s easy for organisations to focus on the benefits of technologies, for example, the internet of things that may reduce car crashes by allowing vehicles to communicate with one another. The risks in this example may be that hackers may be able to take over systems of vehicles in motion and create havoc. “Internal audit’s role is to make sure the organisation understands not just the enablers and the positives, but also the risks, and help mitigate those risks,” Rai said.
  • Scanning for weaknesses – and preparing a response. Rai recommended that organisations perform vulnerability scans of their networks quarterly and conduct penetration tests of critical systems and sensitive environments at least annually. Internal audit can participate in these tests and monitor simulation exercises to prepare organisations to respond if a breach does occur.

Rai said internal audit at most organisations does not possess the technical expertise to perform in all areas as skillfully as they should. He recommended that they get outside help where it’s necessary, as internal audit’s role evolves along with the technology organisations are using.

“With all the recent news we’re seeing about data breaches and other activities in the media, internal audit has a key role to play,” Rai said. “And that role comes in terms of understanding where the risks are and helping mitigate those risks.”

Ken Tysiac ( is a CGMA Magazine editorial director.