Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

How Internal Cyber Audits Can Help Lower Your Company’s Cyber Security Risks

Author: Scarinci Hollenbeck, LLC

Date: May 15, 2018

Key Contacts

Back

It’s Time to Start Conducting Internal Cyber Audits

If your company does not yet conduct internal cyber audits to assess and manage your cybersecurity risks, it’s time to start. For those businesses that do, it is equally important to promptly address any vulnerabilities that are detected.

Why Your Company Should Begin Conducting Internal Cyber Audits
Photo courtesy of Chris Reid (Unsplash.com)

The City of Atlanta recently learned the hard way how important it is to head the warnings of a cyber audit. The city was recently hit by a ransomware attack that The New York Times called “one of the most sustained and consequential cyberattacks ever mounted against a major American city.”

According to media reports, Atlanta officials were warned last summer that the city’s IT infrastructure was vulnerable to attack. An internal audit found, “the large number of severe and critical vulnerabilities identified has existed for so long the organizations responsible have essentially become complacent and no longer take action.” 

The audit further stated, “departments tasked with dealing with the thousands of vulnerabilities … do not have enough time or tools to properly analyze and treat the systems.”

Conducting an Internal Cyber Audit

While creating a cybersecurity plan is critical to safeguarding your company, testing for effectiveness and efficiency is equally important. After all, it’s far better to discover your weaknesses in a test situation rather than in real life.

When conducting a cyber audit, be sure to take IT, business, and legal concerns into account. Audits, which often require the assistance of outside professionals, must be comprehensive enough to address all points of entry. Below are several key areas that should be taken into consideration:

  • Systems testing: The most technical part of a cyber audit involves analyzing and penetration testing all of your internal and external systems. Auditors will also test that software and data updates are being performed; cybersecurity is incorporated into application and software development; and existing IT controls can address new and emerging threats.
  • Data protection: The audit should also evaluate the management and protection of PII (Personally Identifiable Information) data and intellectual property including trade secrets. For instance, physical and logical security controls should be established at all sites containing PII and other sensitive data. The adequacy of your data loss protection should also be examined.
  • Regulatory compliance: As the regulatory landscape continues to evolve, businesses must make sure their policies and procedures are keeping pace. The New York Division of Financial Services cyber-security standard, the Securities and Exchange Commission (SEC)’s latest cyber guidance, and HIPAA are just a few examples.
  • Security awareness and training: Your employees can be either an asset or a liability when it comes to cybersecurity. Audits should access both employee awareness and compliance. Common risks areas include the security of employee-owned devices and phishing attacks on corporate email accounts. The overall organization’s attitude towards cybersecurity should also be evaluated. When it comes to corporate culture, complacency at the top can quickly trickle down to the entire business.
  • Coordination: Comprehensive cybersecurity plans require coordination across a broad range of departments. The failure to clearly define roles can result in “turf wars.” Conversely, risks can also fall through the cracks if one department wrongly assumes the other is addressing the issue. Audits should also confirm that businesses have procedures in place to keep the board of directors informed about how cyber risks are being managed.
  • Third-party risks: If your vendors don’t take the same cybersecurity precautions, your data will still be at risk. It is imperative to require third-party vendors to meet minimum data security standards and also regularly monitor them for compliance.
  • Crisis management: Attacks can occur even when businesses have cyber plans in place, so it’s important to verify that your crisis management can quickly restore your operations and communicate effectively with business partners, customers, regulators and the public.

Of course, internal audits can also be invaluable in a number of other related areas, including testing your business-continuity and disaster-recovery plans. To determine if your existing policies and procedures pass muster, we encourage businesses to work with knowledgeable IT and legal professionals.

Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouse Watch – Where Technology, Politics, and Privacy Collide (http://ewhwblog.com).

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Scarinci Hollenbeck, LLC, LLC

Related Posts

See all
How to Conduct a Fair and Legal Employee Termination in 2025 post image

How to Conduct a Fair and Legal Employee Termination in 2025

Ongoing economic uncertainty is forcing many companies to make tough decisions, which includes lowering staff levels. The legal landscape on both the state and federal level also continues to evolve, especially with significant changes to the priorities of the Equal Employment Opportunity Commission (“EEOC”) under the Trump Administration. Terminating an employee is one of the […]

Author: Angela A. Turiano

Link to post with title - "How to Conduct a Fair and Legal Employee Termination in 2025"
Admin Dissolution for Annual Report: What You Need to Know post image

Admin Dissolution for Annual Report: What You Need to Know

While filing annual reports may seem like a nuisance, failing to do so can have significant ramifications. These include fines, reputational harm, and interruption of your business operations. In basic terms, “admin dissolution for annual report” means that a company is dissolved by the government. This happens because it failed to submit its annual report […]

Author: Dan Brecher

Link to post with title - "Admin Dissolution for Annual Report: What You Need to Know"
What Is Antitrust Litigation Law? post image

What Is Antitrust Litigation Law?

Antitrust laws are designed to ensure that businesses compete fairly. There are three federal antitrust laws that businesses must navigate. These include the Sherman Act, the Federal Trade Commission Act, and the Clayton Act. States also have their own antitrust regimes. These may vary from federal regulations. Understanding antitrust litigation helps businesses navigate these complex […]

Author: Robert E. Levy

Link to post with title - "What Is Antitrust Litigation Law?"
Dissolving Your Business: Essential Legal Steps to Protect Your Interests post image

Dissolving Your Business: Essential Legal Steps to Protect Your Interests

If you’re considering closing your business, it’s crucial to understand that simply shutting your doors does not end your legal obligations. Unless you formally dissolve your business, it continues to exist in the eyes of the law—leaving you exposed to ongoing liabilities such as taxes, compliance violations, and potential lawsuits. Dissolving a business can seem […]

Author: Christopher D. Warren

Link to post with title - "Dissolving Your Business: Essential Legal Steps to Protect Your Interests"
The Role of Corporate Restructuring in Mergers & Acquisitions post image

The Role of Corporate Restructuring in Mergers & Acquisitions

Contrary to what many people think, corporate restructuring isn’t all doom and gloom. Revamping a company’s organizational structure, corporate hierarchy, or operations procedures can help keep your business competitive. This is particularly true during challenging times. Corporate restructuring plays a critical role in modern business strategy. It helps companies adapt quickly to market changes. Following […]

Author: Dan Brecher

Link to post with title - "The Role of Corporate Restructuring in Mergers & Acquisitions"
Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public post image

Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public

Cryptocurrency intimidates most people. The reason is straightforward. People fear what they do not understand. When confusion sets in, the common reaction is either to ignore the subject entirely or to mistrust it. For years, that is exactly how most of the public and even many in law enforcement treated cryptocurrency. However, such apprehension changed […]

Author: Bryce S. Robins

Link to post with title - "Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public"

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Sign up to get the latest from our attorneys!

Explore What Matters Most to You.

Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

Let`s get in touch!

* The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!