Cyber Ransomware Attack: Internal Audit’s Recovery Role

Cyber Ransomware Attack: Internal Audit’s Recovery Role

Although it is the Incident Response team that will play a starring role during the immediate response to a ransomware attack, Internal Audit’s most crucial role occurs after the fact during containment and recovery. Audit’s ability to provide independent analysis and assistance during the post-mortem, to leverage lessons learned, and to conduct a post-incident review will help the organization stay ahead of future threats and reduce the impact of future cyber attacks. 

What to Expect After a Ransom Attack: Post-event Actions 

Containment and recovery 

After the incident, focus should be on containment and recovery — including working with the Forensics Team to identify the bad actors and access points. Internal Audit will need to perform a total security audit and update all systems. Malware should be securely removed, systems should again be hardened and patched, and updates should be applied. This may take some time and cost some money, but it’s necessary if you value your data and your company’s reputation. Closing the gap and ensuring containment works in tandem with mediation and negotiating with the intruder.  

Cleanup and analysis

During this phase, you should also be building an audit trail in real time for when you get to the post-mortem. Understand what the intruder accessed, and if your organization took appropriate and timely efforts to communicate with employees, suppliers, and other stakeholders. 

After the incident, Internal Audit should perform an independent review of the company’s response, disaster recovery, business continuity plans, and what transpired — identify the steps taken immediately after the breach to look at the control gaps and the deficiencies. Determine the chain of custody during the process, information security policies and procedures, organizational legal protocols for incident handling, and areas for improvement.  The management team and Audit Committee are going to be looking to you for this independent analysis to stay ahead of future threats. 

Conduct a Postmortem

Once you’ve made it through the containment and neutralization phase, there are still post-incident tasks to complete to make sure that you are learning from the incident and implementing measures to prevent similar incidents from happening again. The incident team is most likely going to take the lead on this, but Internal Audit will have a critical role:

  • Complete an incident report. Look at your data backup and recovery access control encryption and map controls to threats.  Documenting and disseminating the incident will help to improve the incident response plan and augment additional security measures to avoid such security incidents in the future.
  • Closely monitor your systems to ensure the issue doesn’t reappear. Attackers may hit your organization again. Ensure that threat intelligence and preventative measures are updated in case threat actors reappear. 
  • Never assign blame. Don’t procrastinate or be vague; every minute detail is important. Gather information and have an audit trail.  

Internal Audit’s Role

While it’s not practicable to audit every business unit or security threat, there are a number of considerations for audit teams to focus on in the aftermath of a ransomware attack:  

  • Ensure your organization practices good cyber hygiene. Identify the frequency and type of backups and multi-factor densification. Old fashioned backups could be a significant safeguard, especially if other backups were infected. 
  • Know your insurance coverage for cyber attacks:
    • What is your cyber insurance coverage? 
    • Does it cover the entire organization or is it only specific to certain entities or business units? 
    • Does it only cover certain types of incidents?
  • Understand your data security measures. Read them carefully to see how they’ve been tested — what’s worked and what has not. 
  • Develop an incident response mindset. Conduct a root cause analysis. Look at the mitigating factors to build and correlate analysis. Build organization-wide risk assessments.  
  • Maintain a holistic control library for SOX. When you’re working on incident responses and trying to relate back to a control, there may be unknown gaps. 
  • Consider materiality. 60% of companies attacked will pay a ransom. In 2019, the Ponemon Institute found the average cost of a data breach globally was just under $4 million — and the average cost for a lost or stolen record was about $150: double this in the U.S.. There’s a long tail from a breach, with the cost felt even a couple of years later. 
  • Educate everyone about ransom attacks. If only some are aware and an attack takes place tomorrow, many will not be prepared.

These response steps and tips can offer Internal audit the tools to help your organization — but prevention is key, and there are several things that you can start on today if you’re not already doing them. One key area is that Internal Audit can map key control areas to top threats. If you expect ransomware to be a big threat either because there are many in your industry or because you’ve had the experience, then you can point audits at those areas. It’s a good idea to conduct surveys or interview-based discussions to identify top threats, map controls to each threat, and assess each control. Plan to spend more time in data backup and recovery, access control, and encryption, as these map to the most plausible threats the business faces. All signs point to increasing numbers of ransom attacks in the years to come, but a forward-looking internal audit team can play a pivotal role in reducing a cyber attack’s impact.


Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.