Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:06 The IIA
In this episode, Adam Ross speaks with Vipul Patel about how organizations can better prepare for ransomware attacks.
00:00:14 The IIA
They talk through what goes wrong in the first hours of an attack, what smart preparation looks like, and where traditional audit approaches fall short when a business is in crisis mode.
00:00:27 Adam Ross
What are the most common mistakes companies can make in the first hours or days when responding to a ransomware attack?
00:00:32 Vipul Patel
I look at it in about two key points when we think about the common pitfalls or mistakes upon a response.
00:00:40 Vipul Patel
One is probably the most biggest, and it happens more often than you think, Adam, is
00:00:47 Vipul Patel
that organizations immediately start pulling the plug, pulling the cables.
00:00:52 Vipul Patel
They start shutting their servers down because that's their impulse reaction, right, to a ransomware attack is, hey, we have to triage by just closing all the doors.
00:01:02 Vipul Patel
The challenge with that is, if there's not a plan of action, that instinct can cause a little bit of chaos with respect to the triaging, right?
00:01:12 Vipul Patel
And as you're trying to stop the bleeding, as you're trying to pull the plugs to contain...
00:01:19 Vipul Patel
you realize that you have this like, oh crap moment where I haven't preserved the necessary data artifacts or points to then triage down the road, right?
00:01:30 Vipul Patel
So you're almost making the investigation 10 times harder by acting on that impulse of pulling the cables.
00:01:38 Vipul Patel
And I think that's probably one of the biggest pitfalls.
00:01:41 Vipul Patel
And the second piece of it
00:01:42 Vipul Patel
is what I call communication chaos.
00:01:46 Vipul Patel
Again, without a well-articulated plan, you have the legal team talking to IT, you have the CEO calling the CISO, nobody knows who's in charge.
00:01:58 Vipul Patel
And while everybody's just calling each other, there's actually no work being done to triage that ransomware attack.
00:02:05 Vipul Patel
So I think the organizations that tend to respond well,
00:02:10 Vipul Patel
have a clear communication protocol and a clear ownership model.
00:02:14 Vipul Patel
But yeah, I'd say those are probably the two biggest things from my experience that I've sort of seen out in the market.
00:02:20 Adam Ross
That's very interesting.
00:02:22 Adam Ross
On the communication side, I'm curious in terms of your thoughts when companies have incident response plans, do you think that it's beneficial for them to have specific communication plans relevant to a given crisis or incident?
00:02:35 Adam Ross
Or does it typically fall under, is it sufficient if it's the overall communication plan that could be applicable to multiple different situations?
00:02:42 Vipul Patel
Yeah, I think that's a great question.
00:02:44 Vipul Patel
The ones that do it well that I've seen almost have just overarching crisis management.
00:02:49 Vipul Patel
right?
00:02:50 Vipul Patel
And there's sort of a communications plan associated with any crises, right?
00:02:55 Vipul Patel
Cyber attacks being one of them, but disaster recovery, whatever it might be, there is an overarching plan to your point.
00:03:03 Adam Ross
You laid out some common mistakes.
00:03:06 Adam Ross
Can you maybe walk us through a real world scenario or example where the company's response to a ransomware attack, let's say positive, went well?
00:03:15 Adam Ross
I guess, relatively speaking, well, there's been a ransomware attack, which is not great, but maybe you can share a little bit about how in a real-world scenario that they were thoughtful in their response to minimize the impact.
00:03:26 Vipul Patel
Yeah, no, that's a great question.
00:03:27 Vipul Patel
Of course, you know, I can't name specific organization names, so I'll try to keep it general, but still directionally valid.
00:03:36 Vipul Patel
There was this one organization that I worked with, and as I was interacting with the executive team, and again, this was post-incident, and we were sort of doing a reflection, and I posed various questions, and I actually had a chance to go visit the server room.
00:03:57 Vipul Patel
And I kid you not, I walked in, and on the inside of the server room,
00:04:03 Vipul Patel
there was a laminated one pager that's just taped to the wall and literally just a printed runbook per se of how to react upon an incident.
00:04:17 Vipul Patel
And it said, stop, isolate, document, and then call these three numbers.
00:04:23 Vipul Patel
And, you know, just a simple
00:04:26 Vipul Patel
plan like that, again, reduces the impulse reaction was just so well done.
00:04:33 Vipul Patel
I mean, as we all know, human nature, right?
00:04:35 Vipul Patel
When we're our heartbeats are elevated and we're under this sort of pressure, fear, complexity is the worst thing to have, right?
00:04:44 Vipul Patel
So I think that particular organization did it very, very well to just have just a simple laminated one pager that calls out, you know, the steps and the right people to call.
00:04:54 Adam Ross
That makes a lot of sense.
00:04:55 Adam Ross
The stop, look, listen approach as opposed to the three-ring binder with reams of paper certainly can be a little overwhelming.
00:05:03 Adam Ross
You've kind of teased the next question as we start to talk about the role of internal audit.
00:05:08 Adam Ross
I'm assuming that you were having those conversations in a capacity as an internal auditor.
00:05:12 Adam Ross
So maybe you can talk a little bit about before a ransomware incident even occurs, where do you see internal audit adding the most value and helping organizations prepare?
00:05:22 Vipul Patel
Another great question and hugely relevant, again, for our audience.
00:05:26 Vipul Patel
Internal audit sits in a really unique position within an organization.
00:05:31 Vipul Patel
They really have visibility and access across the enterprise that, quite frankly, most functions don't have that access.
00:05:40 Vipul Patel
So the question is, what can internal auditors do with that access?
00:05:44 Vipul Patel
And I think it starts with
00:05:47 Vipul Patel
asking those uncomfortable questions, especially to the groups that are closest to the protocols and processes.
00:05:57 Vipul Patel
almost as a gut check, right?
00:05:59 Vipul Patel
Because again, the ones that are closest to it may not have that purview.
00:06:04 Vipul Patel
And so even if it's asking questions around the IR plan, right?
00:06:09 Vipul Patel
Is it, documented a certain way, asking questions about the organizational structure, is it set up the right way to react?
00:06:18 Vipul Patel
And what we're seeing specifically on the IR plans is, you know, nowadays companies
00:06:24 Vipul Patel
are restructuring, reorging quite often, right, as they evolve their business model.
00:06:30 Vipul Patel
Sometimes those things aren't reflected in IR plans, right?
00:06:33 Vipul Patel
And it's left for assumption.
00:06:34 Vipul Patel
So I think that that's where internal audit can use the access they have to ask the tough questions, asking around testing backups, right?
00:06:42 Vipul Patel
I mean, that's at the surface probably the easiest question to ask, but it's not really about testing the backup per se.
00:06:50 Vipul Patel
It's
00:06:51 Vipul Patel
How are they able to restore the backup?
00:06:53 Vipul Patel
Because that's the most critical part, part of incidents.
00:06:55 Vipul Patel
So I think that's probably the best.
00:06:58 Vipul Patel
things look good on paper, but having internal audits stress tested is probably the key value driver there.
00:07:05 Adam Ross
I think that stress testing approach is really important one.
00:07:09 Adam Ross
We're on the outside.
00:07:10 Adam Ross
We're not beholden or necessarily the owner of the plans and the processes.
00:07:15 Adam Ross
So we have the opportunity to ask questions.
00:07:17 Adam Ross
I encourage teams to channel their inner dentist to menace in those situations, right?
00:07:22 Adam Ross
How would you create a scenario where something could break?
00:07:24 Adam Ross
Whether that be something as simple as, we were doing an audit of texting for a health system.
00:07:30 Adam Ross
They said they used it to confirm appointments.
00:07:32 Adam Ross
One to confirm, 9 to change.
00:07:35 Adam Ross
We said, you're dealing with older patients.
00:07:37 Adam Ross
What's to stop them from responding with their social security number?
00:07:40 Adam Ross
And what do you do if they do that?
00:07:42 Adam Ross
Are you going to make sure that you dispose of that?
00:07:44 Adam Ross
And they're like, why would someone respond with their social security number?
00:07:46 Adam Ross
And I said, I don't know, but is it possible?
00:07:48 Adam Ross
It is.
00:07:49 Adam Ross
And I think that's the great role internal audit could be bringing to these is to help management think through some of those scenarios that maybe they're a little close, too close to, come up with.
00:07:58 Vipul Patel
Right.
00:07:58 Vipul Patel
Those what if scenarios.
00:07:59 Adam Ross
Yeah.
00:08:00 Vipul Patel
Right.
00:08:00 Vipul Patel
Absolutely.
00:08:01 Adam Ross
Yeah.
00:08:01 Adam Ross
Fantastic.
00:08:02 Adam Ross
Do you have any specific examples or use cases where internal audit helps strengthen ransomware readiness?
00:08:08 Adam Ross
Maybe it could be
00:08:09 Adam Ross
developing or participating in tabletop exercises, testing some of those controls you mentioned, or even evaluating the efficacy or sufficiency of those incident response plans.
00:08:18 Vipul Patel
Absolutely.
00:08:19 Vipul Patel
I think all three for sure, you know, what I'm seeing in the market, you know, again, depending on the maturity of internal audit functions, you certainly have testing or any kind of assurance around existing controls.
00:08:33 Vipul Patel
But I think what I've seen the most
00:08:36 Vipul Patel
impactful is really the tabletops.
00:08:38 Vipul Patel
That's when you sort of get some immediate aha moments, especially not just as your role as an internal audit function, but when you are involved in helping bring all the other functions to the table, right?
00:08:52 Vipul Patel
You have your CISO organization, you have legal, you've got your comms groups, you've got, you know, ops folks.
00:09:00 Vipul Patel
And when you can get everybody in a room together,
00:09:04 Vipul Patel
and you work through scenarios, it's just so telling what you uncover, within the first half hour, hour, right, where you realize that, legal didn't know that IT can read and have access to encrypted files.
00:09:23 Vipul Patel
right?
00:09:24 Vipul Patel
You have awareness that the CFO, if the organization chooses to make the ransom payment, that you may need to abide by OFAC rules to prevent any kind of sanction law violation.
00:09:39 Vipul Patel
So these are the nuanced details that, again, if you're not doing a tabletop and you're bringing all the parties together, you don't want to realize this stuff
00:09:49 Vipul Patel
during an incident, right?
00:09:50 Vipul Patel
That's that oh crap moment.
00:09:52 Vipul Patel
So I see just a tremendous amount of value with internal audit having a seat and almost facilitating this is where I would say the biggest thing is.
00:10:03 Adam Ross
I would think the vast majority of our listeners and internal auditors in general would agree.
00:10:07 Adam Ross
I do have a follow-up question, though.
00:10:09 Adam Ross
It does take two to tango.
00:10:10 Adam Ross
Management has to be open to internal audit participating.
00:10:13 Adam Ross
And maybe you can share to those listening, some.
00:10:16 Vipul Patel
Absolutely.
00:10:17 Vipul Patel
I think budgets help.
00:10:21 Vipul Patel
many times, IT organizations who traditionally have been sort of the ones that spearhead these kind of tabletop activities, that they have limited resources, right?
00:10:31 Vipul Patel
And so if audit functions have sort of the budget, that's where a sense of partnership can come into play.
00:10:38 Vipul Patel
But even just sort of elevating this to the board level, right?
00:10:42 Vipul Patel
And that's sort of the one group of folks that internal audit, with the audit committee has access to.
00:10:48 Vipul Patel
And you sort of partner with the ITO to raise the awareness of the importance of doing this, the resources will come.
00:10:55 Vipul Patel
And I've said this word a couple of times,
00:10:57 Vipul Patel
around partnership.
00:10:59 Vipul Patel
That's probably the biggest thing for internal auditors, like just go find your CISO, make friends with them, or at least in a business realm, help articulate the value of IA and help articulate the impact and benefits of working together.
00:11:13 Vipul Patel
It starts there with that relationship.
00:11:15 Adam Ross
Love it.
00:11:16 Adam Ross
So you've already shared several suggestions on ways organizations can more proactively approach ransomware preparedness and how internal audit can support that.
00:11:26 Adam Ross
Maybe you can share some lessons learned from your experiences when organizations, when the dust settles, when organizations kind of take a breath and really do a root cause and come up with how can we get better?
00:11:37 Adam Ross
How can our listening audience learn from others' experiences?
00:11:42 Vipul Patel
Yeah, and that's really what it's about too, right?
00:11:44 Vipul Patel
I mean, I think
00:11:45 Vipul Patel
We all have to have that learning mindset.
00:11:47 Vipul Patel
I think back, cyber has been such a heavy topic and top of mind topic for over a decade now, right?
00:11:55 Vipul Patel
And you sort of shifted the approach to cyber across that journey from, hey, let's not get attacked, let's not get attacked, but then it shifted quickly to it's going to happen.
00:12:06 Vipul Patel
You're going to get attacked in some capacity.
00:12:10 Vipul Patel
So how do you contain it?
00:12:11 Vipul Patel
How do you respond to it, recover from it?
00:12:14 Vipul Patel
And so the knowledge sharing across the board, I value that.
00:12:18 Vipul Patel
I think it should happen more, but I understand the sensitivity of the nature of sharing.
00:12:22 Vipul Patel
So I would say based on my experience and sort of what I've seen out in the market, there's probably 3 pretty important lessons learned.
00:12:31 Vipul Patel
Number one is, you know, many organizations sort of hang their hat on, we have a plan, we have a plan, we have a plan.
00:12:39 Vipul Patel
The challenge was that they just didn't practice it enough.
00:12:43 Vipul Patel
Right?
00:12:43 Vipul Patel
And I think building that muscle memory to practice the plan, do the tabletop exercises, upon an incident, you sort of become second nature.
00:12:53 Vipul Patel
I would say the second big one, and some we're seeing pretty prevalent over the past five years, so is third-party exposure.
00:13:00 Vipul Patel
Many times organizations, they get surprised that the entry point into their environment is actually through a vendor or a contractor or a SaaS software tool.
00:13:13 Vipul Patel
And so just getting some arms around that piece of it is super important.
00:13:19 Vipul Patel
And the third one is a little bit nuanced, but I would say it's more cultural.
00:13:23 Vipul Patel
many times organizations create these programs where they'll do like phishing just to test the people side of the house.
00:13:32 Vipul Patel
And I think there's like this fear factor per se, where people are afraid to raise their hand if they notice something wonky and they just assume, oh, IT's probably got this handled, right?
00:13:44 Vipul Patel
And if there could be a way to change that culture where it's safe to raise your hand, safe to point out something that may feel a little off
00:13:53 Vipul Patel
without fear of anything.
00:13:55 Vipul Patel
I think that's probably the third biggest.
00:13:57 Vipul Patel
And that's where internal audit can really come into play to sort of champion that kind of culture.
00:14:03 Vipul Patel
I'd say those are probably the three big ones.
00:14:05 Adam Ross
Those are super interesting and they make a lot of sense.
00:14:07 Adam Ross
the first one I heard is the practice helps make it predictable and repeatable.
00:14:11 Adam Ross
So the organization has a reduced risk of failure when they need to execute the plan.
00:14:16 Adam Ross
Because otherwise it's, to put my accounting hat on, it's a significant and unusual transaction, right?
00:14:21 Adam Ross
And they might not be used to the executing the controls related to it.
00:14:24 Adam Ross
So the more they do it, the more comfortable they'll be and they're more likely to execute as the plan.
00:14:29 Adam Ross
The other thing that really stood out to me is the encouraging a culture of see something, say something, and make it easy for individuals to raise their hands, whether it be right in your e-mail, report phish, and just let it go.
00:14:44 Adam Ross
And if it's nothing, it's nothing.
00:14:47 Adam Ross
But you should never be afraid to raise your hand and call Chicken Little, because it may be something.
00:14:53 Adam Ross
So that's, those are great things.
00:14:55 Adam Ross
A little bit of a follow-up question on this.
00:14:57 Adam Ross
Are there any specific
00:14:58 Adam Ross
changes you've observed either to governance or control as a result of an attack or a debrief on a ransomware attack.
00:15:07 Adam Ross
I'm curious if maybe you could share some of those examples.
00:15:10 Vipul Patel
I think I mentioned this a little bit earlier.
00:15:13 Vipul Patel
We talked about the view of
00:15:17 Vipul Patel
governance and the ownership, and I touched on sort of crisis as a whole, overarching, which to be cyber, any other ransomware, other disaster recovery, et cetera.
00:15:28 Vipul Patel
There is one particular example of an organization, I thought this was brilliant, by the way, is they did have a significant incident, and after the dust settled, and
00:15:38 Vipul Patel
and the organization reflected on sort of what went well, what didn't work well, they actually took it upon themselves to restructure their overarching crisis governance model.
00:15:49 Vipul Patel
And what was happening before is they had their incident response plan have IT as the de facto lead, right, as most organizations do.
00:16:01 Vipul Patel
But what they did is they realized, hey, you know, ransomware
00:16:06 Vipul Patel
is actually a business crisis, right?
00:16:09 Vipul Patel
It's not a technology crisis.
00:16:12 Vipul Patel
Even though the entry point was through technology, the impact of it is broader than just IT.
00:16:18 Vipul Patel
And so when they made that change, it really elevated the response structure.
00:16:22 Vipul Patel
It elevated the accountability of it to have a business executive as that sort of incident coordinator, commander.
00:16:29 Vipul Patel
Other functions were still there, right?
00:16:31 Vipul Patel
IT, legal, everybody still had an equal part, equal seat at the table.
00:16:34 Vipul Patel
but just changing that ownership, I thought was actually a brilliant move.
00:16:38 Vipul Patel
And again, it shifted the conversation from tech, tech, tech to just sort of enterprise, right?
00:16:44 Vipul Patel
Again, haven't touched base with that organization again, but I'd imagine a shift in that governance model will probably allow them to respond quicker in the future.
00:16:55 Adam Ross
And I think that's consistent with what our profession has been saying for a long time, which is this is a subset of a cyber risk issue.
00:17:02 Adam Ross
And we've always said all along that cyber risk is a business issue.
00:17:05 Adam Ross
It's not an IT only issue.
00:17:07 Adam Ross
That's why we spend so much time trying to educate the employee base and the workforce on their role in protecting the information assets.
00:17:14 Adam Ross
And like you said, keeping their eyes open.
00:17:16 Vipul Patel
Absolutely.
00:17:16 Adam Ross
So we've covered an awful lot of ground in a quick amount of time here.
00:17:20 Adam Ross
Curious if you have any examples of organizations doing this particularly well that internal auditors can learn from.
00:17:26 Adam Ross
I know you talked a lot about participating in tabletops, being proactive and working with management.
00:17:31 Adam Ross
Are there any other suggestions you have for internal auditors that they could benefit from?
00:17:36 Vipul Patel
Absolutely.
00:17:36 Vipul Patel
I think there's, without being able to name specific organizations, if I think through the organizations that do this well,
00:17:46 Vipul Patel
They share a few, I guess, common traits, and I think that might be helpful for the audience to understand, what are those traits?
00:17:53 Vipul Patel
One, as I said earlier, they're treating cyber resilience as sort of a board-level conversation.
00:17:59 Vipul Patel
Again, not an IT conversation, it's getting the whole entire organization involved and aware of that.
00:18:05 Vipul Patel
And I think companies are seeing that, right?
00:18:07 Vipul Patel
It's not just a recent, obviously over the past decade or so.
00:18:10 Vipul Patel
I mean, you oversee cyber popping up, at least on a quarterly basis on board agendas, right?
00:18:16 Vipul Patel
And going back to that building that muscle memory, right?
00:18:19 Vipul Patel
Just keep running the drills, keep running the drills, keep running the drills.
00:18:23 Vipul Patel
You do it so frequently that at the time of an incident, when it really happens, it's just second nature.
00:18:27 Vipul Patel
And people fall into the roles, they execute, and it goes without a hitch.
00:18:32 Vipul Patel
The other piece of it too, and I think, again,
00:18:35 Vipul Patel
probably refreshing for our audience to hear is, again, those organizations that do this well, they're actually embedding internal audit into the resilience framework, right?
00:18:46 Vipul Patel
So traditionally, you sort of see, hey, internal audit come in after the fact, hey, what went well, what didn't go well, help identify the findings that someone else can go fix it.
00:18:55 Vipul Patel
But if you're embedding internal audit into
00:18:58 Vipul Patel
the resilience framework and you're treating internal audit as sort of a proactive testing partner, I think that really helps, one, build more robust, effective IR plan, but also, again, improve the brand of internal audit, the partnership, et cetera.
00:19:18 Vipul Patel
I would say financial services firms and any other organizations that have critical infrastructure to them, those are ones that are doing this really, really well.
00:19:27 Vipul Patel
mostly because they've got the regulatory pressure to do so, and probably the resources, dollars, et cetera.
00:19:33 Vipul Patel
But I would say just again, those key pieces or traits that I've seen across the board, if organizations can sort of follow those, I think that's just that mindset that is ingrained in that.
00:19:44 Adam Ross
Well, I think you're certainly saying the right things as far as I'm concerned.
00:19:48 Adam Ross
And it's definitely aligned with the IIA's Vision 2035, where internal audit continues to evolve into more of a strategic risk advisor and business partner, while still maintaining its objectivity and independence.
00:19:58 Adam Ross
This has been a great conversation.
00:19:59 Adam Ross
And before we wrap up, I just wanted to see if you had any other sage words of advice for our listening audience in terms of ways internal audit can help or other considerations they should be thinking about in this important area.
00:20:11 Vipul Patel
I think if our professionals can just continue to keep in mind that, again, this is not just a technology issue.
00:20:19 Vipul Patel
Yes, technology matters, backup, segmentation, MFA, that's all good stuff.
00:20:24 Vipul Patel
But we only need to remember that the critical failure point most likely is going
00:20:28 Vipul Patel
to be the people, right?
00:20:30 Vipul Patel
And ownership, untested plans, siloed communication, these are really the critical pieces of sort of cyber breaches.
00:20:39 Vipul Patel
And if internal auditors can, you know, have a seat at the table and deeply look at and be involved in the development of those three things, I think it'll just go a very, very long way from moving the needle.
00:20:52 Adam Ross
Excellent.
00:20:53 Adam Ross
Well, thank you so much for your time and your very thoughtful insights.
00:20:55 Adam Ross
Greatly appreciated.
00:20:56 Vipul Patel
Thank you, Adam, for having me.
00:20:58 The IIA
Earning the CIA usually means 3 separate exams, but it doesn't have to.
00:21:04 The IIA
The CIA Challenge exam is designed for experienced professionals who already hold a CPA, CISA, CISA, or have a background in internal audit.
00:21:14 The IIA
You qualify through one of three pathways, including a pilot option for people with 10 plus years of experience.
00:21:20 The IIA
That pilot closes September 30th, 2026, so don't sleep on it.
00:21:25 The IIA
Becker study materials can help you prepare for this exam.
00:21:28 The IIA
And if you're interested, you can find a link to the challenge exam in the show notes.
00:21:33 The IIA
If you like this podcast, please subscribe and rate us.
00:21:36 The IIA
You can subscribe wherever you get your podcasts.
00:21:39 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:21:43 The IIA
That's T-H-E-I-I-A dot O-R-G.
