No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

Better Cyber Posture Requires IT Audits, but Depends on Data Monitoring

Key Steps to Help Organizations Outsmart the Cybercriminals

by Francis Tam
April 11, 2019
in Featured, Internal Audit
illuminated fiber optic cables

An organization’s weakest link is most often human, not technological. Moss Adams’ Francis Tam explains why, when it comes to cybersecurity, anomalies like daily logins, users and infrastructure changes should be an organization’s main concerns.

In today’s technology-driven world, information can be a company’s most valuable – yet vulnerable – asset. Data breaches continue to become more frequent and costly in recent years, with many high-profile cases like the Equifax breach in 2017 making headlines. It’s crucial, then, for companies to properly utilize data monitoring and cybersecurity audits to avoid breaches or having information stolen.

Breaches can cost companies an average of $3.9 million and an alarming 54 percent of companies will experience a cyberattack at some point. Full IT assessments can be time-consuming and costly, so companies often skip this crucial process or don’t make it a priority, leaving them vulnerable. Implementing data monitoring for your company’s cybersecurity can help prevent major breaches.

Risks of a Data Breach

Data breaches can put not just a company and its employees at risk, but also its customers. The aftereffects of a data breach can be just as costly as the loss of the information itself. Depending on the scale of the breach, a company’s reputation could become significantly damaged, driving down profits and jeopardizing customer and client relationships, leading to future loss of business.

There are also damage control costs associated with the response to a breach, such as:

  • Forensic investigation
  • Remediating systems-related vulnerabilities
  • System downtime or other actions taken to recover stolen information
  • Setting up new accounts and help desks for affected customers
  • Planning internal and external communications about the breach
  • Preparing for additional safeguards and monitoring

Companies may even face legal or regulatory fines and lawsuits following breaches.

Causes of Data Breaches

Data breaches frequently happen without a company even realizing and can often take a significant amount of time for a company to become aware the breach occurred. Most data breaches are caused by intentional criminal attacks, but they can also be the result of simple technology malfunctions and human error. 

Limited System Controls

Companies often have inadequate or primitive systems controls – firewalls, intrusion prevention systems, etc. – that don’t effectively block remote and unauthorized access to data.

Ineffective Detection Controls

How data is monitored can also lead to vulnerabilities. Companies often don’t address the level or quality of their detection controls, or the ways in which they continuously monitor abnormal activities, whether they’re coming from inside or outside the organization. This can allow hackers or other unauthorized parties to slip by and access data undetected.

Lack of Training

When attacks happen from outside the organization, they’re difficult to detect. It can often take even longer for a breach that happens from within an organization to be discovered, and a breach may not even be viewed as an anomaly by employees. This may happen because the company didn’t provide adequate security awareness training for its employees. Employees may make data vulnerable during their day-to-day activities without even realizing. They may not know the correct protocol if asked to upload, download or divulge sensitive information.   

How to Prevent a Data Breach

There are many steps companies can take to protect their data. Here are some basic steps to follow:

Classify Data and Assess IT Risks

Each company has data unique to its operations or business model, ranging from personally identifiable information (PII) to more abstract information. Common types of data at risk can include:

  • Social security numbers
  • Driver’s license numbers
  • Credit card numbers
  • Health care information
  • Financial statements
  • Trade secrets
  • Business leads

The first step to protecting data is simply to identify the type of data a company touches by taking inventory and categorizing data. While every company has a lot of data, not all data is necessarily sensitive information.

By classifying data in different sets from most sensitive to least, companies can identify their weaknesses, develop an IT risk heat map and prioritize their most urgent needs and resources to safeguard the data.  

Evaluate IT Controls and Security Awareness

Various types of tests can be performed to determine the safety of data. These can include phishing attempts, in which fraudulent attempts are made to obtain data by posing as a trustworthy source, as well as firewall monitoring to determine how strongly the flow of traffic into and out of a company’s network is being tracked.

Penetration assessments, in which simulated hacking attempts are made within a controlled environment, should also be made and tailored to a company’s specific needs. This will help test their unique combination of systems, controls and processes and counter insufficient software updating, improper system configuration, inherent software flaws or operational process weaknesses.

Monitor Data Flow

With many companies operating nationally or internationally and technology allowing data to be accessed remotely, a company’s data can potentially be accessed from anywhere. However, businesses likely have high traffic times and locations for when and where their data is accessed – for example, during business hours or in locations where the company has offices and workers.

If information appears to be accessed in ways not adherent to these standards, or other abnormal activities seem to have taken place, that may be a red flag that information has been breached.

Provide Security Awareness Training

Company employees who have access or high power rights to sensitive information should be trained to spot suspicious requests to disclose information or move assets, even if they appear to come from legitimate sources or within the organization.

Companies should also have an action plan in place in the event of a breach so employees know how to appropriately question, challenge and respond to these abnormal requests.

Monitor Service Providers

Companies should continually monitor the activities of third-party service providers, such as cloud and SaaS operators, who come into contact with their sensitive data and information. Companies can’t necessarily perform scans on an outside organization, but options for performing due diligence can include providing these groups with questionnaires relating to how they handled data or reviewing system and organization controls (SOC) and network penetration vulnerability reports.

Cybersecurity Advisors

While there are many steps companies can take to prevent data breaches, having a trusted advisor with expertise on how to monitor and prevent attacks can be very beneficial.

Depending on the type of company, the frequency in which monitoring should take place is increasing quickly with some organizations, such as ecommerce groups, potentially needing daily overview. This can become burdensome and time-consuming, but the presence of a trusted advisor can make the process smooth and efficient. Advisors can also provide in-depth security awareness training for employees to keep an eye out for risks that could lead to future breaches and help create a company action plan should a breach occur.

Cybersecurity is a continuing exercise, and as technologies change, there will only be more cases for companies to be at risk.


Tags: Data Breach
Previous Post

Varsity Blues Admissions Scandal Focuses Spotlight on Justin Paperny

Next Post

What is Compliance SME?

Francis Tam

Francis Tam

Francis Tam is Information Security and Infrastructure Practice partner at Moss Adams, where he concentrates on risk mitigation activities relating to information technology and security. He has practiced public accounting with a focus on risk and compliance consulting since 1994.

Related Posts

new york and us flags

New York Tightens the Breach Clock: 30 Days to Notify

by Melissa Crespo and Reiley Porter
May 12, 2025

State joins growing national trend toward broader personal information definitions and stricter notification timelines for data compromises

group looking at data breach details digital art collage

Navigating Data Breach Compliance & Communication

by Salim Gheewalla
October 28, 2024

Compliant response starts well before an incident occurs

sec building

News Roundup: SEC Finalizes New Cybersecurity Rules for Broker-Dealers, Others

by Staff and Wire Reports
May 16, 2024

OFAC launches public-facing sanctions database

characters breaking into padlock

Navigating Personal Liability: Post–Data Breach Recommendations for Officers

by Daniel B. Garrie and Richard A. Kramer
April 16, 2024

Executives may be on the hook if info is compromised

Next Post
silhouette of five businesspeople against digital display

What is Compliance SME?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights