3 Steps Audit Committees Can Take To Enhance Cybersecurity

No single solution to cybersecurity challenges exists, but organizations can significantly reduce their risk by fully implementing a set of core controls that provide a layered defense against common threats. Audit committees can advocate adopting a comprehensive strategy with a measured, integrated, and risk-based approach to these controls. The strategy should include implementation of preventive measures and concepts such as these:

• Endpoint detection and response (EDR) monitors end-user devices like laptops and mobile phones to identify, block, and alert users about malicious activity. As remote work has expanded the attack surface, risk-aware EDR deployments have become increasingly important to prevent compromised devices from serving as entry points for attackers.
• Multifactor authentication (MFA) adds an extra layer of protection beyond passwords, requiring users to provide a second form of verification, such as a code from a mobile app or a biometric scan. MFA makes it harder for attackers to gain unauthorized access to accounts and systems, but many single-factor authentication and non-Active Directory-integrated routes still exist that must be identified and carefully monitored. Once in a network, threat actors routinely exploit current accounts and passwords. Security of these accounts is less about password change frequency or strength and more about detection of potential misuse and the subsequent response.
• Regular data backups remain crucial to help organizations recover in the event of a ransomware attack or other disruption. Beyond just backups, the restoration process and reintegration of systems and applications should be tested to accurately predict restoration processes and time frames.
• An incident response plan (IRP) can help minimize the impact of a successful cyberattack. The plan should define clear roles and responsibilities, communication protocols, and step-by-step procedures for containing an incident, investigating the cause, and restoring normal operations. A strong IRP supporting aggressive containment measures provides tools to help the security team respond quickly and effectively.
• Security-by-design solutions build cybersecurity into the fabric of the network (for example, segmentation) or product (for example, logging and monitoring) itself, offering added protections that can complement other controls, improve efficiency, and reduce integration complexity.

Sophisticated threat actors are adept at finding and exploiting gaps in defenses, so even a small number of missing controls or misconfigurations can exacerbate the impact of a cyberattack. Audit committees should request evidence sufficient to identify the gaps and to verify that cybersecurity controls are not only present but deployed comprehensively across the enterprise, properly implemented, and regularly tested.

Strong cybersecurity doesn’t happen in a vacuum; it takes cross-functional teamwork among a variety of departments, including IT, security, finance, legal, leadership, and the various business units. As the primary stewards of financial integrity and risk management in an organization, audit committees are uniquely positioned to help align cybersecurity with broader business objectives, allocate adequate resources to protect critical assets, and foster an environment of shared responsibility and collective vigilance.

Collaboration can enhance and fortify an organization’s cybersecurity posture by bringing together diverse perspectives from across the business. IT and security teams offer an extensive technical background as well as a deep understanding of the threat landscape. Finance and audit professionals contribute their combination of risk management experience and financial oversight. And legal departments provide necessary guidance to help make sure cybersecurity measures align with regulatory requirements.

This united approach allows organizations to establish a comprehensive cybersecurity strategy that balances risk mitigation, operational efficiency, and business objectives. However, this strategy is not a “one and done” exercise. To be truly effective, businesses should use these cross-functional teams to regularly review the core controls and make needed adjustments, which can help them stay ahead of emerging threats.

As the frequency and sophistication of cyberattacks continue to rise, organizations must be diligent about taking steps to mitigate risks and protect their operations, reputation, and financial stability. Audit committees play a vital role in this effort by providing oversight and guidance to support giving cybersecurity the attention and resources it requires.