Managing cyber security and other technology-related risks is becoming an increasingly complex business. Sara McCallister explains why.

With a growing need for technology assurance—from cyber security and transformation programmes to the use of AI, cloud services and third parties—what do internal audit and technology risk professionals need to know to protect organisations today?

Cyber security

Cyber security continues to be a critical business risk for organisations in Ireland and globally.

While data loss and service disruption continue to be two biggest risks associated with a cyber-attack, ransomware attacks are also significant.

According to a 2023 Sophos report, 66 percent of organisations globally have been hit by a ransomware attack in the last year. Cybercriminals succeeded in encrypting data in just over three-quarters (76%) of these attacks.

Third-party management

To manage service continuity risks, information privacy and security, organisations need an effective framework of third party controls.

IT and technology teams are among the most active users of third-party products, such as tools, software-as-a-service (SaaS) solutions and the direct outsourcing of business activities. This gives organisations access to a much wider range of skills and greater flexibility to scale up or down with demand.

Outsourcing the responsibility for these services doesn't outsource the associated risks, however. Organisations need to expand their range of assurance activities to cover third-party providers.

Generative AI

The risks associated with generative AI are critical due to its widespread adoption.

Concerns include the potential for biased outputs, security vulnerabilities and misuse of generated content for malicious purposes. Deep fakes, misinformation and ethical dilemmas also pose challenges.

As generative AI becomes integral to different sectors, understanding and mitigating these risks is essential to maintaining trust, safeguarding privacy and ensuring responsible deployment.

Timely attention to these concerns is crucial in preventing unintended consequences, protecting against malicious uses and establishing robust frameworks for the ethical and secure implementation of generative AI.

Transformation programmes

Organisations are adopting and experimenting with leaner and faster approaches to delivering transformation.

Many are dealing with the challenge of legacy IT, outdated infrastructure and applications that are still in use and prevent more modern practices, exposing them to availability risks and cyber security vulnerabilities.

Cloud assurance

In recent years, the use of cloud solutions has increased rapidly. Organisations use cloud solutions to host their critical systems, such as enterprise resource planning (ERP) and customer-facing applications, or sensitive data, such as personal or intellectual property.

The proposed changes to the UK Corporate Governance Code (the Code) have heightened the focus on organisations’ financial and IT control frameworks ahead of the 2025 deadline. This would include controls in cloud environments.

Organisations still face challenges around cloud controls and assurance, inconsistent approaches across assurance teams, cloud concentration risks and lock-in with vendors.

There is also a shortage of cloud-risk specialists who can help organisations to determine whether practices are aligned with recommendations from the Cloud Security Alliance and cloud service providers.

Identity and access management

One of the foundational pillars of securing your organisation's data is ensuring you are adequately managing access to this information. This includes authenticating access, authorising access based on genuine business needs and monitoring and reviewing access to data.

Organisations need robust frameworks in place to manage access to their information and reduce the risk of inappropriate or unauthorised access, which could cause significant loss.

Technology resilience

In a technology-dependent world, it is often critical that an organisation's IT infrastructure and applications are resilient and continue to operate at acceptable levels during unexpected events or when elements of its technology environment are compromised.

Data management and quality

The risks associated with data management and quality are paramount as they directly impact decision-making, business operations and regulatory compliance.

Robust data management mitigates cyber security risks, safeguarding sensitive information from breaches.

Compliance with data protection regulations, such as GDPR, hinges on accurate data handling.

Addressing these risks ensures organisations can trust their data, supporting decision-making, maintaining customer trust and complying with legal requirements in a data-driven business landscape.

Sara McCallister is Partner, Business Risk Operations, Grant Thornton