Companies sometimes question the usefulness of an internal
cybersecurity audit, and the question of, “aren’t standard risk assessments
enough to formulate a security strategy to protect a company’s digital assets?” is often asked.
cybersecurity audit, and the question of, “aren’t standard risk assessments
enough to formulate a security strategy to protect a company’s digital assets?” is often asked.
In reality, though, standard risk assessments aren’t especially useful when it comes to establishing a wide-ranging, in-depth security plan for your business.
Why is a Self-Audit Appropriate?
Cyber self-audits are crucial for your business, as they allow you to set your own parameters and a specific set of goals. Self-audits give you the opportunity to:
· Establish a Set of Security Standards – The results of your self-audit will provide the opportunity to decide what your security standards are and how they should be rolled out across the business.
· To Help Enforce Regulations and Best Practice – Audits ensure all regulations and practices, both your own internaauditl security standards and any compulsory external legislation are followed to the letter.
· To Determine the State of Your Security – A thorough audit will show you how your current security protocols are working in a way that a risk assessment couldn’t. Along with what’s missing, it will also take into account how current processes are performing, along with why and how they could and should be improved.
Overall, self-auditing is a brilliantly useful tool when you
need to understand whether your cybersecurity is working as it should, or
you’re preparing for an external audit in the near future.
need to understand whether your cybersecurity is working as it should, or
you’re preparing for an external audit in the near future.
Up to 30% of people have no idea whether they’ve been hacked and their data remains unprotected – by ensuring you complete an audit at least once a quarter, you can keep abreast of any updated tech on the market that could further protect your business.
How to Conduct a Cyber Security Audit
There a numerous way to collect the required data you need,
such as user action monitoring, access management and employee tracking software, which allows you to access all of the data in one centralised zone.
such as user action monitoring, access management and employee tracking software, which allows you to access all of the data in one centralised zone.
But, what are the steps you first need to consider when
performing a thorough audit?
performing a thorough audit?
Internal vs External Audit
When you’ve decided to perform an audit, you need to determine
whether you’re happy to use your own resources or contact an external
professional.
whether you’re happy to use your own resources or contact an external
professional.
External auditors are consummate professionals. They use a
wide-ranging selection of cybersecurity software, such as vulnerability
detectors and they’re able to bring a tremendous amount of knowledge to the table in order to find gaps and security flaws in your systems.
wide-ranging selection of cybersecurity software, such as vulnerability
detectors and they’re able to bring a tremendous amount of knowledge to the table in order to find gaps and security flaws in your systems.
The biggest drawback, however, is the fact that they often don’t
come cheap, and finding a professional with the necessary qualifications and expertise can often be complicated.
come cheap, and finding a professional with the necessary qualifications and expertise can often be complicated.
In addition to this, the success of your audit will depend
heavily on the lines of communication between yourself and the auditor. If an auditor cannot get access to your data in good time, the audit will take longer than necessary, which bloats costs and produces inaccurate results.
heavily on the lines of communication between yourself and the auditor. If an auditor cannot get access to your data in good time, the audit will take longer than necessary, which bloats costs and produces inaccurate results.
This makes external audits something of a luxury, rather
than an ongoing option. They are an excellent option to undertake once a year, should you have the resources to invest in it.
than an ongoing option. They are an excellent option to undertake once a year, should you have the resources to invest in it.
Internal audits, on the other hand, are far easier to manage,
and as already mentioned, they can offer you an opportunity to gather data and set your own benchmarks.
and as already mentioned, they can offer you an opportunity to gather data and set your own benchmarks.
However, it’s often the case that internal auditors will often lack the experience of a professional. That said, it doesn’t mean this
can’t be solved by simply hiring the right people and offering the correct
training.
can’t be solved by simply hiring the right people and offering the correct
training.
Internal audits are not only much cheaper but far more
efficient too. It’s far easier for an internal employee to work around
established company processes to gather the data required, without the need for an external source to learn when they’re able to collect data without disturbing workflows.
efficient too. It’s far easier for an internal employee to work around
established company processes to gather the data required, without the need for an external source to learn when they’re able to collect data without disturbing workflows.
Although an internal audit may sound complicated, in
reality, all you’re required to do is establish KPIs and deliverables and ensure that the company is adhering to these practices.
reality, all you’re required to do is establish KPIs and deliverables and ensure that the company is adhering to these practices.
Step #1: Define Your Security Priorities
As part of the GDPR process, every company is legally
required to have a nominated Data Protection Officer present within the
business who would be responsible for knowing what data is flowing out and it what is flowing in. Whoever that person is, whether you or someone else within the business, they should undertake the audit.
required to have a nominated Data Protection Officer present within the
business who would be responsible for knowing what data is flowing out and it what is flowing in. Whoever that person is, whether you or someone else within the business, they should undertake the audit.
The first job of the auditor is to define how far your audit
will stretch; which means that you need to list all your assets.
will stretch; which means that you need to list all your assets.
Assets can include anything from computer equipment to sensitive
customer and company information; it can also include anything that would require time and money to repair in order for the business to run correctly,like internal documentation and communication systems.
customer and company information; it can also include anything that would require time and money to repair in order for the business to run correctly,like internal documentation and communication systems.
Once you’ve narrowed down your assets, you will then need to
decide where your security parameters lie.
decide where your security parameters lie.
Your security parameters will segment your assets into two
groups: things that will be audited and things that won’t. It’s not realistic
to try and include everything in your audit, so you must put your most valuable assets first and set your parameters at that – once you’ve done this, you should put all of your focus toward them.
groups: things that will be audited and things that won’t. It’s not realistic
to try and include everything in your audit, so you must put your most valuable assets first and set your parameters at that – once you’ve done this, you should put all of your focus toward them.
Step #2: Assess the Threats
Once you’ve defined your assets, the next step is to assess
the potential threats to those assets.
the potential threats to those assets.
These can range from below-par employee password protection,
secure company or client data, Denial of Service attacks, and can even include physical breaches or damage caused by fire or natural disasters, such as flooding.
secure company or client data, Denial of Service attacks, and can even include physical breaches or damage caused by fire or natural disasters, such as flooding.
Generally speaking, any conceivable threat should be
considered, as long as it could potentially cost your business a significant
outlay.
considered, as long as it could potentially cost your business a significant
outlay.
Below is a list of frequent threats that you should be
considering during this step:
considering during this step:
· Careless Employees – Your employees need to be your first line of defence; any weak link in this chain is enough to undermine the whole process. How well trained are your employees? Are they trained to notice suspicious activity and follow security protocols to the letter?
· Phishing Attacks – Breach perpetrators are regularly using phishing attacks to get hold of sensitive information. In 2016, 89% of all phishing
attacks were motivated by financial gain.
attacks were motivated by financial gain.
· Weak Passwords – Weak passwords were utilised in 81%
of hacking-related incidents in 2017. Weak or stolen passwords are the most common method used by hackers to gain access to networks.
of hacking-related incidents in 2017. Weak or stolen passwords are the most common method used by hackers to gain access to networks.
· Insider Threats – Noone wants to think about the idea that someone on the inside of their business would do anything to hurt their business either maliciously or accidentally, but unfortunately it is possible, and it does happen.
· DDoS Breaches – A distributeddenial-of-service attack, does exactly what it says on the tin. Multiple systems flood a target (usually a web server) to overload it and render it useless.
· Employee Devices – Do your employees connect their smartphones to the Wi-Fi or use their own USB stick? If so, you need to take these into account as it substantially weakens your security position.
· Malware – This encompasses several threats, such as worms, trojan horses, spyware and the persistent and increasingly prevalent ransomware.
· Physical Theft or Natural Disaster – While neither of these things is especially likely, the consequences of not being prepared could cost your organisation a massive sum of money.
Step #3: Evaluate Current Security Processes
Now that you’ve pinpointed the potential threats you could face; you need to decide honestly whether your current infrastructure is adequately equipped to defend against them.
At this stage, you are only assessing the effectiveness of your current security measures, which means you’re evaluating each link in the chain for weakness, whether that link is you, your staff, security procedures or the business as a whole.
This is one of the areas in which an external audit can be particularly valuable since there are no internal biases which could skew the final results of the inspection.
It’s absolutely crucial to the validity of your security audit to bypass any emotional bias you have towards employees in certain positions or even your own performance.
Step #4: Prioritising
This is the most essential step in the auditing process – how do you prioritise?
Look at your list of potential threats and compare the potential damage vs the probability that this occurrence may come to pass, and you’ll be left with a risk score for each.
For example, a flood could completely destroy your equipment and keep your premises closed for an indeterminate time frame, which would place it as a ‘high risk’, but since floods or natural disasters are unlikely, the score will be lowered accordingly.
During this step, it’s critical to research the following:
· Historic Cyber-Breaches – Has your
business been hacked, attacked or physically breached in the past?
business been hacked, attacked or physically breached in the past?
· Current Cyber Trends – What are the current methods that cyber-criminals use to access information? What threats are becoming more prevalent and which are far less frequent? What new technological advancements are now available to further protect against threats.
· Industry-Wide Trends – If you work in the financial industry, or your business holds a good deal of customer data, your chances of an attack are higher than in other sectors.
· Regulations, Legislation and Compliance - Are you a private or public business? Do you handle sensitive financial or personal data on a daily basis? Who has access to this information?Answering these questions will impact your risk score when assigning threat scores to specific assets.
Step #5: Finalise Your Security Protocols
The remaining stage of any internal security audit is
perhaps the easiest – take your prioritised list of threats and write down a
list of security and best practice updates to neutralise or eliminate the risk
altogether.
perhaps the easiest – take your prioritised list of threats and write down a
list of security and best practice updates to neutralise or eliminate the risk
altogether.
Below is a list of standard security solutions you should
consider:
consider:
· Employee Training – According to an article by welivesecurity.com, 33.3% of people say they’ve had absolutely had no cybersecurity training whatsoever. Your employees are only human at the end of the day, which means they can make mistakes. Creating training schedules for new employees and refresher training for current employees will generate awareness and decrease errors, so there is no doubt of the security best practice.
· Email Protection – Incidents of phishing attacks are increasing, and this is because they are becoming more sophisticated and challenging to identify. Once clicked on, a phishing email presents a perpetrator with a range of options to gain access to your data via software installation. Spam filters help up to a point, but the ability to identify emails as ‘external’ or ‘internal’ to your network is highly prized.
· Backups – One of the biggest concerns for a business if data is compromised, is the inability to recover it because backups haven’t been taken and if this is the case it means your businesses ability to function has also been compromised. Backing up your data on a regular basis and separating it from your main network means you always have a backup in the case of an attack.
· Up-to-Date Software – Keeping every machine on your network on the latest software is an incredibly important step towards securing potential access points. You can enforce manual updates as a mandatory step in your security plan, or you could use software that prevents any user without the correct updates from accessing crucial
information.
information.
· Password Management – Any password needs to be unique and complex enough that it can’t be guessed. Human beings aren’t inclined to remember hundreds of unique passwords, which is why we tend
to lean on a few variations of the same password or store them in unsecure word documents or note pads. Invest in a password manager, ensure no passwords are reused, amplify password sophistication, and find a safer way of sharing passwords than a spreadsheet. If you’re the manager of the software, you can then share the relevant passwords with only the appropriate personnel.
to lean on a few variations of the same password or store them in unsecure word documents or note pads. Invest in a password manager, ensure no passwords are reused, amplify password sophistication, and find a safer way of sharing passwords than a spreadsheet. If you’re the manager of the software, you can then share the relevant passwords with only the appropriate personnel.
· Network Monitoring Software – Cybercriminals will often be looking to gain access to your network. There are many network monitoring software products on the market that can alert you of any suspicious activities, such as unidentifiable access attempts to keep you one step ahead of the game.
Conclusion
Now you have all the tools to hand to complete your internal security audit. You must remember that internal security reviews are not “one and done” solutions; they are an ongoing process.
Your first security audit should be used as a benchmark for
all the audits that follow – measuring where you’ve succeeded and failed is the only way to ensure that you can build and learn from measures that did and didn’t work as effectively.
all the audits that follow – measuring where you’ve succeeded and failed is the only way to ensure that you can build and learn from measures that did and didn’t work as effectively.
By continually improving your processes and technology, you’ll create a culture across the business in which everyone is concerned about any potential security breaches.
Richard LeCount is a cybersecurity expert and the managing director of usbmakers.com, a company specialising in USBs and power banks.