What keeps security professionals up at night isn’t the idea of outsider threats attacking their companies—it’s their employees. Nearly 61 percent of security leaders surveyed said their biggest issue is worrying about negligent or malicious employees, which they claim are responsible for over half of their organization’s data breaches or security incidents.

I’m sure you’ll have noticed in the last few years of using smart phones that every time you add a new app, no matter what that app is for, it asks if it can “use your location”. Sure, you get a chance to allow or not, but how many of us just click that allow button without thinking what information that simple choice conveys?

The audit world isn’t as scary as people make it out to be. But there are things that you can only learn in the audit profession through experience and not in the classroom. Here are some of the biggest takeaways I learned as a first year auditor:

According to a recent survey published by RightScale Inc., more than 90 percent of businesses use some form of cloud technology. The benefits of using the cloud are clearly undeniable, but that doesn’t mean getting set up and running on the proper solution for your organization is effortless.

When two alpinists approach the same rock wall, they may both have the goal of reaching the summit, but the process they take to get there likely diverges greatly. Maybe one hikes up the backside while the other opts to climb the rock face directly—it likely depends on their individual skills, their gear, etc.

Determining the scope of an assessment against the HITRUST Common Security Framework (CSF) is one of the first and most important tasks of the entire HITRUST assessment process. The assessment scope is a major factor in the level of effort required to complete an assessment, and is important to relying entities in determining if the services they use are assessed against the HITRUST CSF. However, for organizations with large or complex IT environments, the task of determining the scope of their HITRUST assessment(s) may seem daunting.

What is the SOC 2? At a high level a SOC 2 examination is a report on internal controls of a service organization related to the Trust Service Principles and Criteria (TSPs), which include: security, availability, processing integrity, confidentiality and/or privacy. Reporting on these TSPs can provide assurance around the adequacy of your services’ security control environment.

Employees are one of the weakest links in any business’ security defenses, especially if there is a lack of awareness about criminal attacks that are designed to obtain sensitive information from organizations.