It’s Time to Start Conducting Internal Cyber Audits
If your company does not yet conduct internal cyber audits to assess and manage your cybersecurity risks, it’s time to start. For those businesses that do, it is equally important to promptly address any vulnerabilities that are detected.
The City of Atlanta recently learned the hard way how important it is to head the warnings of a cyber audit. The city was recently hit by a ransomware attack that The New York Times called “one of the most sustained and consequential cyberattacks ever mounted against a major American city.”
According to media reports, Atlanta officials were warned last summer that the city’s IT infrastructure was vulnerable to attack. An internal audit found, “the large number of severe and critical vulnerabilities identified has existed for so long the organizations responsible have essentially become complacent and no longer take action.”
The audit further stated, “departments tasked with dealing with the thousands of vulnerabilities … do not have enough time or tools to properly analyze and treat the systems.”
Conducting an Internal Cyber Audit
While creating a cybersecurity plan is critical to safeguarding your company, testing for effectiveness and efficiency is equally important. After all, it’s far better to discover your weaknesses in a test situation rather than in real life.
When conducting a cyber audit, be sure to take IT, business, and legal concerns into account. Audits, which often require the assistance of outside professionals, must be comprehensive enough to address all points of entry. Below are several key areas that should be taken into consideration:
Systems testing: The most technical part of a cyber audit involves analyzing and penetration testing all of your internal and external systems. Auditors will also test that software and data updates are being performed; cybersecurity is incorporated into application and software development; and existing IT controls can address new and emerging threats.
Data protection: The audit should also evaluate the management and protection of PII (Personally Identifiable Information) data and intellectual property including trade secrets. For instance, physical and logical security controls should be established at all sites containing PII and other sensitive data. The adequacy of your data loss protection should also be examined.
Regulatory compliance: As the regulatory landscape continues to evolve, businesses must make sure their policies and procedures are keeping pace. The New York Division of Financial Services cyber-security standard, the Securities and Exchange Commission (SEC)’s latest cyber guidance, and HIPAA are just a few examples.
Security awareness and training: Your employees can be either an asset or a liability when it comes to cybersecurity. Audits should access both employee awareness and compliance. Common risks areas include the security of employee-owned devices and phishing attacks on corporate email accounts. The overall organization’s attitude towards cybersecurity should also be evaluated. When it comes to corporate culture, complacency at the top can quickly trickle down to the entire business.
Coordination: Comprehensive cybersecurity plans require coordination across a broad range of departments. The failure to clearly define roles can result in “turf wars.” Conversely, risks can also fall through the cracks if one department wrongly assumes the other is addressing the issue. Audits should also confirm that businesses have procedures in place to keep the board of directors informed about how cyber risks are being managed.
Third-party risks: If your vendors don’t take the same cybersecurity precautions, your data will still be at risk. It is imperative to require third-party vendors to meet minimum data security standards and also regularly monitor them for compliance.
Crisis management: Attacks can occur even when businesses have cyber plans in place, so it’s important to verify that your crisis management can quickly restore your operations and communicate effectively with business partners, customers, regulators and the public.
Of course, internal audits can also be invaluable in a number of other related areas, including testing your business-continuity and disaster-recovery plans. To determine if your existing policies and procedures pass muster, we encourage businesses to work with knowledgeable IT and legal professionals.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouse Watch – Where Technology, Politics, and Privacy Collide (http://ewhwblog.com).
How Courts Evaluate Testamentary Capacity and Undue Influence Will contests in New Jersey are difficult to win, given the strong presumption that a properly executed will reflects the testator’s intent. However, challenges based on lack of testamentary capacity and undue influence remain common, particularly where there are concerns about mental capacity or the involvement of […]
Bringing on outside investors can provide the capital and strategic support a business needs to grow. However, raising capital also introduces important legal, financial, and operational considerations. Before bringing on investors, businesses should address key legal issues to reduce risk, streamline investor due diligence, and position the company for long-term success. Early preparation signals that […]
How the Updated Law Shapes Retirement and Estate Planning The SECURE 2.0 Act of 2022 materially reshapes the required minimum distribution (RMD) landscape, extending tax deferral opportunities while accelerating distribution requirements for many beneficiaries. For high-net-worth individuals and families, these changes are not merely technical. They require a reassessment of retirement income strategies, beneficiary planning, […]
Buying Commercial Property in New Jersey: Legal Guide for Small Businesses
Small businesses considering buying commercial property in New Jersey must evaluate a range of legal, financial, and operational factors. While ownership can offer long-term value and control, it also introduces significant risks if not properly structured. This guide outlines key considerations to help New Jersey business owners make informed decisions, minimize legal exposure, and successfully […]
The SEC’s Latest Guidance on Applying Federal Securities Laws to Tokenized Securities
On January 28, 2026, staff of the U.S. Securities and Exchange Commission’s Divisions of Corporation Finance, Investment Management, and Trading and Markets issued a joint statement clarifying how existing federal securities laws apply to tokenized securities. The SEC’s “Statement on Tokenized Securities” does not establish new law, but it does provide greater clarity on the […]
Common Legal Mistakes NYC and New Jersey Business Owners Make
Operating a business in the New Jersey and New York City metropolitan region offers incredible opportunities, but it also requires navigating a dense and highly regulated legal environment. From entity formation to regulatory compliance, seemingly minor legal oversights can expose business owners to significant risk. In our work with businesses throughout the region, our attorneys […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
