IT control is “A policy that provides a reasonable assurance that the information technology used by an organization operates as expected, that the data is reliable and the organization is in compliance with applicable laws and regulations.” It can be categorized into the management controls and application controls.
Insufficient IT control means the organization fails to protect the information asset, which means the organization is more likely to suffer losses from the exploited threats.Log review is one of the IT control practice, it is the process of recording events that happened on the system, e.g.User login and Modification on files content.
By monitoring system activity, it helps to detect any malicious activities that act against the system.
For instance, if a company does not establish proper control: fail to create and review logs regularly, it fails to discover the malicious act of the staff: an IT staff tried to turn off / disable the system firewall without specific reason during business operating hours. This act allows all data packets to enter and exit the network unrestrictedly and put the system network at risk.
Without the firewall protection, some malware includes computer viruses; worms and Trojan horses can easily spread across the network connection and infect all the computers that attached to the local area network. Therefore, data inside the system can be destroyed or stolen. Not only disrupting the business operation, the stolen data (include confidential information like customer banking account details) may also be released to an unauthorized party for conducting financial crimes – cause of data breach.
The company may fine by the information commissioner’s office as it violates the data protection rule and expose customer sensitive information. We can see that insufficient IT control makes organizations become more vulnerable to outsiders’ attacks. Companies will find out that it is more difficult to retain customers due to their bad reputation and competitive disadvantages.