Cybersecurity is an iceberg topic: the largest part is what you don’t see--and that’s the part that can sink an organization.

I’m the Internal Audit Manager in Aurora, Colorado, and the former director of administration and finance at ICMA. I teamed up with Tim McCain, Aurora’s Information Security Officer, to come up with a list of the questions managers should ask as they address the risk of cyber disruptions.

In Aurora, we are watching the cybersecurity ice mountain grow larger and larger before our eyes, but we are not sitting still or ignoring it. We are looking below the surface at the complex issues involved and chipping away at them strategically, consistently, and in line with the resources we have at hand. It’s not an easy task. It’s a big berg. We have no choice; neither do you.

Cybersecurity affects everyone. Large? Medium? Small? Regardless of your organization’s size, you are a potential target. Email scams, network attacks, and ransomware are just three of the predators out there looking for a vulnerable target. Cities take advantage of technology to make internal operations and service delivery more efficient and effective. The “internet of things,” which enables our cities to use the internet in ways never before imagined, provides an exponential number of increasing opportunities for mayhem. You can hand the problem off to IT and move on, but the problems and the solutions go beyond IT. Cybersecurity is an organizational issue that just happens to enter in through the technology door. Addressing the issue needs to start at the top and involve everyone within the organization.

We internal auditors look at our organization through the eyes of “risk.” We define risk as “the possibility of an event or condition occurring that will have an impact on the ability of our organization to achieve its strategic objectives." Managers deal with risk every day, whether they are conscious of it or not. Cybersecurity is a risk challenge that requires a conscious approach. Here are six questions you can use as a framework to get started.

1. What could go wrong? Brainstorm. No possibilities are off the table. The more voices in the room from every staff position and generation, the more likely you are to gather a comprehensive list of possibilities.
2. What would be the early warning signs? How would you know if something is amiss? Have your staff noticed more mysterious emails in their inboxes? Is your IT department finding anomalies showing up on their reports? Is your administrative staff receiving any odd phone calls? Identify as many warning signs as you can and try to understand if you have the ability to monitor them and alert the appropriate people if they occur.
3. What is the likelihood of this event or condition occurring? This is somewhat subjective, but have your staff consider your existing defenses, the status of your hardware and software, and even your computer use policies. Did you know that any staff member sitting in front of a monitor and keyboard is your greatest vulnerability point? Open one wrong email attachment and. . . well, it could get ugly quickly. Gauging your threat awareness and readiness will help you estimate the likelihood of an event occurring. No one is immune. The question is no longer “if” you will ever get hacked, but “when.”
4. What would be the impact if an event did occur? First thoughts here jump to financial hits and that is a real possibility; but don’t forget to consider potential impacts on internal operations, external service delivery, and especially reputation impacts. Who wants to work for an organization that cannot keep its employees’ personal information out of the public domain?
5. How would you respond if it did occur? This is critical. Once an event occurs, how you respond can affect the impact severity. Your response can also boost or further destroy your organization’s reputation in the public’s eye. Identify the response resources required—time, money, and people—for which you should plan before an incident occurs.
6. What are you doing now that would minimize the impact or likelihood of this risk or condition if it did occur? You can use your work in determining your organization’s current preparedness level to address this question.

I strongly suggest gathering a cross-section of your operational staff to begin answering these questions related to cybersecurity. Answering these questions is a good starting point that can help you evaluate your preparedness, identify your worst vulnerabilities, and provide a basis for generating an action plan to begin addressing this critical issue. Start now; that iceberg is headed your way. 

Contacts: Wayne C. Sommer, Internal Audit Manager, Aurora, Colorado (wsommer@auroragov.org); Tim McCain, Information Security Officer, Aurora, Colorado (tmccain@auroragov.org).