Every organization is expected to comply with laws and regulations. The GDPR, which was introduced in 2018, obliges organizations to be demonstrably in control of information security. Just having a firewall and anti-virus is no longer seen as in control. More needs to be done to prove that as an organization you put the interests of customers, suppliers and employees first and therefore take the right measures. Monitoring is the norm here.