Internal Audit Identifies Gaps in Cybersecurity Controls Across Regional Distribution Centers
The Challenge
A Canadian transportation and logistics provider with multiple regional distribution centers initiated a routine internal audit to verify compliance with corporate security policy. What began as standard testing surfaced systemic control gaps.
Auditors found widespread use of generic logins for seasonal staff and inconsistent enforcement of multi-factor authentication. Account deactivation relied on manual uploads from HR, which left some former contractors with active access. In the warehouses, label printers, handheld scanners, and forklift telemetry modules were running outdated firmware and, in several cases, retained default credentials.
Network segmentation was weak. Low-privilege edge devices could reach critical databases because of a flat VLAN design and permissive rules. The enterprise patch tool did not inventory these devices, so vulnerabilities went untracked. Personal information, including delivery signatures, customer addresses, and shipment manifests, was copied into shared folders without consistent retention or encryption. Several practices conflicted with PIPEDA principles.
Third-party maintenance vendors had always-on remote access to production systems through shared accounts. Local teams treated SIEM monitoring as a head office responsibility, so alerts remained open without owners. Night-shift supervisors used USB exports to move data during maintenance windows, and the tracking spreadsheet could not be reconciled to the devices in circulation.
The findings created immediate business impact. Scanner and label outages forced manual workarounds, a major client issued a compliance notice after a misdirected CSV exposed contact details for 1,800 customers, and the cyber insurer flagged policy renewal concerns. Without rapid remediation, the organization faced higher premiums, reputational harm, and potential reportable incidents under PIPEDA.
Our Solution
We delivered a Comprehensive Controls Remediation and Compliance Assurance Program that combined Audit and Attestation with Governance and Risk Advisory services. Key workstreams included: All changes were validated through a follow-up internal audit and an external attestation suitable for clients and the insurer.
- Identity and Access Management: Implemented federated identity with HR-driven provisioning and mandatory MFA. Retired generic accounts and enforced unique user IDs for all roles, including seasonal workers.
- Network and Asset Security: Introduced VLAN isolation and firewall rules for OT and IoT devices. Deployed continuous asset discovery and vulnerability scanning that included scanners, printers, and telemetry modules.
- Data Protection and Privacy: Enforced encryption for data in transit and at rest, replaced USB exports with secure transfer methods, and implemented retention rules aligned to PIPEDA.
- Vendor Oversight: Updated supplier contracts to require unique credentials, session logging, breach notification, and data residency commitments.
- Monitoring and Readiness: Standardized SIEM ownership at each site, set response time objectives, and ran tabletop exercises focused on data exposure and operational continuity.
- Governance and Training: Established a cyber governance committee, refreshed policies, and delivered role-based training for warehouse and site leads.
The Value
Leadership gained confidence that the distributed IT and OT environment is auditable, resilient, and ready for client due diligence.
- Risk Reduction: Open SIEM alerts fell by 92% within six months. MFA coverage reached 100% across all regional sites.
- Visibility: Asset discovery identified 1,200 previously unmanaged devices, all onboarded to patch and monitoring workflows.
- Operational Stability: Scanner and label system downtime decreased by 37%. Mean time to respond to security alerts dropped by 50%.
- Compliance and Assurance: Alignment achieved with PIPEDA requirements, ISO/IEC 27001 controls, and Transport Canada IT security guidance.
- Financial Outcome: The insurer reinstated standard cyber policy terms, avoiding approximately $85,000 in premium increases and surcharges.
