It’s Time to Start Conducting Internal Cyber Audits
If your company does not yet conduct internal cyber audits to assess and manage your cybersecurity risks, it’s time to start. For those businesses that do, it is equally important to promptly address any vulnerabilities that are detected.
The City of Atlanta recently learned the hard way how important it is to head the warnings of a cyber audit. The city was recently hit by a ransomware attack that The New York Times called “one of the most sustained and consequential cyberattacks ever mounted against a major American city.”
According to media reports, Atlanta officials were warned last summer that the city’s IT infrastructure was vulnerable to attack. An internal audit found, “the large number of severe and critical vulnerabilities identified has existed for so long the organizations responsible have essentially become complacent and no longer take action.”
The audit further stated, “departments tasked with dealing with the thousands of vulnerabilities … do not have enough time or tools to properly analyze and treat the systems.”
Conducting an Internal Cyber Audit
While creating a cybersecurity plan is critical to safeguarding your company, testing for effectiveness and efficiency is equally important. After all, it’s far better to discover your weaknesses in a test situation rather than in real life.
When conducting a cyber audit, be sure to take IT, business, and legal concerns into account. Audits, which often require the assistance of outside professionals, must be comprehensive enough to address all points of entry. Below are several key areas that should be taken into consideration:
Systems testing: The most technical part of a cyber audit involves analyzing and penetration testing all of your internal and external systems. Auditors will also test that software and data updates are being performed; cybersecurity is incorporated into application and software development; and existing IT controls can address new and emerging threats.
Data protection: The audit should also evaluate the management and protection of PII (Personally Identifiable Information) data and intellectual property including trade secrets. For instance, physical and logical security controls should be established at all sites containing PII and other sensitive data. The adequacy of your data loss protection should also be examined.
Regulatory compliance: As the regulatory landscape continues to evolve, businesses must make sure their policies and procedures are keeping pace. The New York Division of Financial Services cyber-security standard, the Securities and Exchange Commission (SEC)’s latest cyber guidance, and HIPAA are just a few examples.
Security awareness and training: Your employees can be either an asset or a liability when it comes to cybersecurity. Audits should access both employee awareness and compliance. Common risks areas include the security of employee-owned devices and phishing attacks on corporate email accounts. The overall organization’s attitude towards cybersecurity should also be evaluated. When it comes to corporate culture, complacency at the top can quickly trickle down to the entire business.
Coordination: Comprehensive cybersecurity plans require coordination across a broad range of departments. The failure to clearly define roles can result in “turf wars.” Conversely, risks can also fall through the cracks if one department wrongly assumes the other is addressing the issue. Audits should also confirm that businesses have procedures in place to keep the board of directors informed about how cyber risks are being managed.
Third-party risks: If your vendors don’t take the same cybersecurity precautions, your data will still be at risk. It is imperative to require third-party vendors to meet minimum data security standards and also regularly monitor them for compliance.
Crisis management: Attacks can occur even when businesses have cyber plans in place, so it’s important to verify that your crisis management can quickly restore your operations and communicate effectively with business partners, customers, regulators and the public.
Of course, internal audits can also be invaluable in a number of other related areas, including testing your business-continuity and disaster-recovery plans. To determine if your existing policies and procedures pass muster, we encourage businesses to work with knowledgeable IT and legal professionals.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouse Watch – Where Technology, Politics, and Privacy Collide (http://ewhwblog.com).
Are Stay Interviews the Key to Retaining Top Talent?
Retaining top talent continues to be one of the greatest challenges facing employers today. Even in an employer’s market, the loss of a key employee can disrupt operations and result in significant costs. While compensation plays a role, long-term retention often depends on workplace culture, communication, and employee engagement. One increasingly popular strategy for improving […]
Secured transactions form the backbone of a wide range of business dealings, including business loans, mortgages, and inventory financing. Because the stakes are often high and relatively minor oversights can have drastic consequences, lenders and borrowers should thoroughly understand how to form an enforceable security agreement that protects their legal rights. What Is a Secured […]
Don’t Cash a “Paid in Full” Check Without Understanding the Legal Implications
Cashing a check marked “paid in full” can be a risky endeavor, particularly if you don’t fully understanding the legal implications. If you are owed more than the amount of the check you accept and deposit, you may waive your right to collect the full disputed amount. That is why you should consider either rejecting […]
Changes to Qualified Small Business Stock Will Benefit Startup Founders and Investors
The One Big Beautiful Bill Act of 2025 (OBBBA) significantly impacts federal taxes, credits, and deductions. A key change relating to Qualified Small Business Stock (QSBS) allows greater tax-free gains for investments in startups and other qualifying small businesses. Company founders and other investors should understand how the enhanced tax strategy works or risk missing […]
Corporate Consolidation and Antitrust Issues in Mergers
Corporate consolidation involves two or more businesses merging to become a single larger entity. The result is often a stronger and more competitive company that can better navigate today’s competitive marketplace. What Is Corporate Consolidation? Corporate consolidation closely resembles a basic merger transaction. The primary difference is that a consolidation creates an entirely new business […]
Business law plays a critical role in nearly every aspect of running a successful enterprise, from negotiating a commercial lease to drafting employee policies to fulfilling corporate disclosure obligations. Understanding what is business law and your legal obligations can help your business run smoothly and build productive relationships with clients, business partners, regulators, and others. […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
