Protecting Your Organization: The Role of Internal Controls and Audits in Preventing Data Breaches

The average cost of a data breach has surged to $4.88 million, reflecting a 10% increase from the previous year, according to a recent report. As businesses increasingly depend on technology, the sophistication and frequency of cyberattacks are growing, leading to heightened risks. So, how can your organization safeguard its profits and assets from these ever-evolving cyberthreats?

Insights from the Latest Report

In August 2024, IBM released the “Cost of a Data Breach Report 2024,” which was independently conducted by the Ponemon Institute. The report analyzed data from 604 organizations that experienced breaches between March 2023 and February 2024. Of the 16 countries studied, the United States reported the highest average cost per data breach, at $9.36 million.

The global average cost of $4.88 million per breach is broken down into four key components:

• $1.47 million for lost business, including revenue losses due to system downtime, customer attrition, reputational damage, and diminished goodwill.
• $1.63 million for detection and escalation, covering forensic investigations, assessments, audit services, crisis management, and executive communications.
• $1.35 million for post-breach response, such as legal fees, regulatory fines, product discounts, and costs for setting up call centers and credit monitoring services.
• $430,000 for notification costs, including informing regulators, affected individuals, and organizations.

A positive takeaway from the report is that the average time to identify and contain a breach has decreased to 258 days, down from 277 days in the previous year, marking a seven-year low. This improvement is largely attributed to the increased focus on cybersecurity measures.

Implementing Robust Cybersecurity Protocols

Cybersecurity is an ongoing process that involves designing and implementing internal controls to:

• Identify potential threats,
• Protect systems and information from security breaches, and
• Detect and respond to incidents effectively.

The shift toward remote work has exposed organizations to greater cybersecurity risks. With sensitive data now stored across multiple platforms — including laptops, networks, cloud storage, email, portals, mobile devices, and flash drives — the potential for unauthorized access has significantly increased.

Identifying and Protecting Targeted Data

When establishing or reviewing cybersecurity protocols, it's crucial to identify potential vulnerabilities by inventorying the types of data that hackers might target. Sensitive information that may be at risk includes:

• Personally identifiable information (PII): such as phone numbers, addresses, and Social Security numbers,
• Protected health information (PHI): such as medical histories and test results,
• Payment card data.

Effective controls over this data are necessary to comply with federal and state regulations, as well as industry standards.

Hackers may also seek to infiltrate a company’s network to steal valuable intellectual property, such as customer lists, proprietary software, formulas, strategic plans, and financial data. These intangible assets can be sold or used by competitors to gain market share or a competitive edge.

Auditing Cyber Risks

No organization, regardless of size, is immune to cyberattacks. As the frequency and severity of data breaches continue to rise, cybersecurity has become a critical element of audit risk assessment.

Audit firms provide varying levels of support, both in assessing risks at the start of an engagement and in uncovering breaches that occur during the audit period or fieldwork.

We’re Here to Help

If you’re concerned about your organization’s vulnerabilities or the effectiveness of its existing controls over sensitive data, contact us.

Our experts at Accavallo & Company LLC can assist you in understanding your risks, estimating and disclosing costs in the event of a breach, and strengthening your defenses to prevent future incidents.

Article link here.