control, and governance
What Can Auditors Do About Data Breaches?
In the wake of the Target incident, internal auditors should provide assurance that basic security measures are in place in their organization's commerce system.
Most people have heard of, or may have been directly affected by, the recent Target data breach, which exposed 40 million customers’ credit card information during the busy year-end holiday shopping period. What is known so far is the malware was not identified by antivirus software and the intruders used credentials from a Target business partner.
The fact is that in-store retailing, and e-commerce in general, requires many related interconnections among credit card companies, technology companies, point-of-sale (POS) vendors, etc. All these third parties would be considered extensions of a retailer’s own internal network, such that any weakness within one of their networks could possibly open the door to the retailer’s network. Such arrangements are not limited only to retailers — most organizations have some type of third-party vendor or partner connecting to their network.
In light of the Target incident, many organizations are now reviewing their own internal procedures. Audits surrounding those controls that detect and prevent network intrusions and third-party vendors would add value to the organization’s overall preparedness. Given the sophistication of the Target breach, most organizations would tend to respond by increasing their security infrastructure. However, sometimes the root causes of a breach are weaknesses in basic security procedures, such as:
Sometimes organizations become so reliant on sophisticated security controls that they ignore the basic security procedures. Therefore, the internal audit staff could provide assurance that the standard security protocols are working as intended. Questions auditors might ask include:
Overall, organizations rely on sophisticated security technology to detect and prevent breaches. However, it usually is the small things, such as not following simple procedures, that provide an intruder a door to gain access. Internal auditors should step forward and increase their assurance activities regarding these basic security practices.
James Reinhard, CIA, CPA, CISA, is audit director at Simon Property Group in Indianapolis.