Skip to content


Where Is Your Data? Who Has Your Data? Part 1

Data related risks are top areas of concern in 2019. The latest Gartner research identified five key risk areas that organizations should be assessing. The risk areas include: 1) Cybersecurity Preparedness; 2) Data Governance; 3) Third Parties; 4) Data Privacy; and 5) Ethics and Integrity.

Attention to key risk mitigation strategies is important for the organization’s cybersecurity preparedness. Each of these risk areas frequently present auditing challenges especially for small to medium size audit departments. The following provides some key steps organizations can take to reduce these risks.

Cybersecurity Preparedness

Cybercrime is predicted to exceed $6 trillion dollars in damage by 2021. In 2019 organizations will fall victim to a ransomware attack every 14 seconds, and less than half of IT professionals have confidence they can protect their organizations from cyberattacks. How prepared is your organization to mitigate cybersecurity risks? Following are some basic cyber risk mitigation strategies.

  • Require data encryption including mobile phones and laptops, strong passwords with multifactor authentication, and require frequent password changes.
  • Limit access to business need only and terminate access as soon as no longer needed.
  • Timely application of patches including Internet of Things (IoT) devices.
  • Require all employees to attend annual security awareness training. Assess effectiveness of the training using phishing exercises.

Effectively implementing these risk mitigation strategies is key to cybersecurity preparedness. Auditing these controls and reporting to the board is recommended.

Data Governance

Data is the basis for many strategic decisions within an organization. Data that is not consistent, accurate, complete, and timely can result in poor strategic decisions that may be harmful to the organization. According to Gartner, data with an unacceptable quality level is used for 97% of business decisions. Forty-three percent of organizations report lack of data analytic skills as a contributor to bad data. Often data is presented from multiple areas and in various formats that tell a different story, and executives do not know the true state of affairs. The following are some steps your organization can take to improve data quality.

  • Make data governance a high priority for the organization and treat data like a corporate asset.
  • Make data governance/management a strategic initiative that is shared by both business and IT. Provide adequate funding to implement the strategy.
  • Develop a corporate culture and structure that supports centralized decision making or decision making processes related to data governance.
  • Leverage existing steering committees, provide resources, and the authority to develop and implement a corporate data governance strategy.

Implementing an effective data governance/management strategy can be a paradigm shift for many organizations. It requires communication, coordination, and willingness to adhere to data standards by all areas of the business and IT.

Third Parties

Organizations increasingly rely upon third parties to supplement their technology needs, provide technology to support the business, and reduce costs. Moving to the cloud and remote support of an organization’s supporting environmental and technical infrastructure are only two of many examples. With this shift comes the increased risk of third party breaches. Research shows that 78% of organizations do not have knowledge of fourth through nth parties who have access to their data. The following are steps an organization can take to mitigate these risks.

  • Develop controls over ecosystem partners. Know who they are and regularly assess their economic vitality and security performance.
  • Know your partner’s partners. Exposure does not stop at your immediate vendors and partners. Do not stop at first or second relationships. Go to the nth level. If your organization’s data is available to them, then assess their economic viability and security performance.

Resources such as SSAE18s are available for many third party providers and can be made a requirement for doing business. Use SSAE18s to follow the chain of custody to the nth party.

To Be Continued…

Data privacy, ethics, and integrity are also key risk areas organizations need to address. These areas are important to reduce risks in the areas of cybersecurity, data governance, and third parties. Watch for next month’s article on key steps to mitigate these risks.

If you have any questions regarding this article, please contact Elaine Nissley, Principal at McKonly & Asbury at

About the Author

Elaine Nissley

Elaine is a Principal with McKonly & Asbury. Her primary responsibilities include management of the Internal Audit & Management Consulting Services group. Elaine handles client relationships and is accountable for the deliv… Read more

Related Services

Related Industries

Subscribe to Our Newsletter

Contact Us