Internal controls are essential for any business. They can protect them from risks such as cyberattacks, third-party leaks and even fraud. Recently, NSW pubs suffered a major data breach, possibly compromising the details of over 1 million ACT and NSW residents. The police have already arrested a man and are planning to charge him with blackmail. There is an ongoing investigation that is trying to discover the intent behind the data breach as NSW pubs were using Outabox to handle their customer details. 

Early signs are pointing to corporate sabotage, highlighting how big the threat of third-party data breaches has become. In 2023, 29% of data breaches were due to third-party attacks. Which raises the question: Can internal controls minimise the possibility of third party risks?

The people responsible for the data breach claim that they weren’t paid for their work and they were cut off, leading to retaliation. The offshore developers were given a lot of access to back-end systems with little to no monitoring. 

Could internal controls prevent a similar situation?

The main issue for the data breach seems to be a lack of oversight on both parties. There is very little information currently on the steps taken by clubs and pubs to monitor Outabox and their practices. The people behind the breach are claiming that Outabox gave them a lot of freedom. 

This gives us quite a few learnings for internal controls. Before entering into a partnership, companies should:

  • Establish processes that need to be followed (audits, due diligence inv)
  • Have strong policies 
  • Employ monitoring tools
  • Carry out risk assessments 
  • Develop a response plan
  • Limit private information to external parties if possible

Establish processes that need to be followed 

It is advisable that before entering a new partnership or employing a third party, the business builds a solid process that is followed leading up to final decision-making.  

Before relying on a third party to handle customer data, it’s important to conduct a due diligence investigation. A due diligence investigator can uncover liquidity problems, any history of bankruptcy and can reveal a lot about the potential partner’s security standards. For example, an ISO 27001 certification shows a high standard for information security management. 

Audits can also provide a lot of useful information and can alert the organisation of potential financial fraud. 

Have strong policies 

When working with a third party, businesses will experience a lack of visibility and control over their partner’s movements. It’s important to ensure every partnership and vendor relationship is viable; companies should create strong cybersecurity and fraud policies that give requirements to third parties and employees working with them. 

If the vendor/partner experiences a data breach, then the business that outsourced services to them is also responsible. Organisations that outsource services must establish strong compliance policies and set clear expectations. The NSW pubs and clubs may face consequences, even if they aren’t directly the ones attacked. When it comes to customer data, both parties have liability, which is why policies are necessary. You may also consider adding indemnities in the contract to make the vendor wholly responsible for any breaches.

Policies should also include cybersecurity training details, for employees who work with partners, as well for those who don’t. The training requirements may be passed to the vendor as well. 

Employ monitoring tools

As part of internal controls, monitoring tools are crucial in creating a successful partnership. A due diligence investigation only tells a part of the story; it shows how the company is performing before the partnership is established. But what happens after that? Internal controls that constantly monitor partner activities are useful for detecting vulnerable links and alerting the business if something seems wrong. 

The case of Outabox is a bit complicated. While NSW pubs outsourced customer data management to Outabox, Outabox outsourced software developments to offshore developers. If the data breach did happen due to unpaid invoices and ghosting, then monitoring tools could have warned the clubs of potential issues. 

Carry out risk assessments 

Risk assessments can be part of the partner agreement as well as a scheduled process that follows afterwards. Risk assessments can assess the impact of potential data breaches and the areas they will affect. They can also help companies find areas for improvement and weaknesses that haven’t been detected before. Regular risk assessments can help businesses be proactive and more prepared as they know what to expect and how to respond to future problems. 

They can strengthen their internal controls and develop mitigation strategies to prevent or minimise the risks they face. In a scenario like this, risk assessments can track whether vendors or partners are meeting industry standards and evaluate their own internal controls. This can lead to a higher level of accountability and assist in decreasing potential data breaches as they have been given suggestions for weaknesses they need to work on. 

internal controls

Develop a response plan

Once a due diligence investigation has been completed, as well as a risk assessment, a business could also complete an internal control audit. This will give managers a good idea of how internal controls compare to potential risks materialising. 

A response plan can then be created that will outline a series of steps to be followed in the case of a data breach, who will be responsible and what the delegation of tasks will look like. The response plan is meant to focus on four phases:

  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity

The preparation stage involves all the decision-making and the approval of the response plan. The more scenarios included in the response plan, the more effective the response will be. 

The detection and analysis phase looks at the signs, detection tools and internal controls. The internal controls may send alarm bells if an incident is at a high risk of materialising. The team then can respond to a potential threat, rather than an actual incident. 

If the incident has occurred, the containment, eradication and recovery phase will discuss the steps taken by the company to manage the situation, ensure that it doesn’t escalate and whether there’s any possibility of recovery. The potential damage to the organisation will be estimated, as well as the time and resources available to the business. 

The post-incident activity phase is all about learning, reflection and revision. After the response has been finalised, the company can now assess the actual damage and go through the steps the team followed to respond. They can then decide whether the best possible actions were taken or if there’s room for improvement. 

This is a very important phase as it gives a lot of feedback that will create a more effective and thorough response plan. 

Limit private information to external parties if possible

It might be helpful to review the information that external parties have access to. Is it possible to minimise how much data they are handling? How often do they get rid of customer data once a case is finished? Handling and storing sensitive information can be expensive and troublesome if this information is no longer needed. 

If it’s necessary to still have the information, then check how the information is stored so it doesn’t end up on unsecured spreadsheets. If the company can store the data themselves, that’s the best possible choice, even if it’s more expensive, as the potential consequences of a data breach can be detrimental.

Consequences of third-party data breaches

When a third party suffers a data breach, the organisation that entrusted them with the data handling suffers as well. The customers trust the direct company they are dealing with to handle their data responsibly. They probably have no idea their information handling is outsourced. 

A data breach can lead to a lack of customer trust, decreased sales, and decreased customer base. The damaged reputation will last as long as publicity surrounds the incident. It heavily depends on how severe the cyber attack was and how prepared the organisations were. 

It’s not a pleasant time for anybody and because of future concerns, businesses may not be able to collect necessary customer information. Customers will be very hesitant and may choose to go to a competitor or at least refuse to make a purchase. The information leaked usually ends up in the wrong hands, making individuals vulnerable to identity theft, phishing and malware attacks.

Negative sentiment towards a company may continue if consumers are regularly bothered by scams, so the overall damage may last for months or even years. 

Internal controls: Expensive but worth it

Due diligence investigations, risk assessments, and information access controls are necessary to create a safe cyber environment. Internal controls can be expensive and time consuming, but it’s a worthwhile investment to make. 

Suppose you are looking for an efficient way to complete a due diligence investigation and manage risk assessment outcomes. In that case, Polonious is a great solution, trusted by companies in different industries worldwide. At Polonious, we are ISO 27001 and ISO 9001 certified, which is something we have maintained for several recertification cycles. Our focus is on delivering a high-quality case management system that helps investigators automate their tasks, prioritise risks, and increase chances of recovering funds and data. 

Do you want to know more about how our system can help you? Book a demo today!