A great way to get you company moving towards better protection against a data breach and other costly cyber security threats is by conducting an internal cyber security audit. Often when we think of a security audit, we think it’s a stressful, and expensive exercise. It doesn’t have to be.
Likewise, IT and security professionals see a cyber security audit as the assessment of security compliance of their organization, performed by an external security specialist, and sometimes costing over $50,000. However, they fail to see that with the right training, resources, and data, an internal security audit can prove to be an effective way to evaluate the security of their organization
In addition, an internal cyber security audit can assess critical, actionable insights to better protect company defences.
External vs. Internal Security Audit
Firstly, we need to understand the differences between an external and internal security audit before jumping in.
An external audit has an enormous value for any company but is quite an expensive exercise especially for small businesses. It also still relies heavily on the participation and input of the businesses’ internal IT and security department. If deciding on an external security audit company, you need to firstly, find a respected and affordable external audit partner. Secondly, set goals/expectations for the auditors. Furthermore, provide all the relevant and accurate data. And finally ensure you implement the recommended changes.
External auditors are practiced professionals who specialise in the security audit area. They have all the right tools and software to conduct the audit and have the advantage of understanding all up to date security protocols. They and are also trained to spot flaws in both physical and digital systems. Because auditors are external, all areas are covered, no stone is unturned, nothing is overlooked due to internal bias.
In-spite of the many advantages of an external auditor, companies still go for an internal security audit due to their speed, cost, efficiency, and consistency. And
- you can establish a baseline from which you can measure improvement for future audits.
- can be done more frequently.
- gathering and sorting relevant data is simplified because it isn’t being distributed to a third party
- causes less disruption to the workflow
Firstly, If you decide to your own security audit, it’s important you educate yourself in the compliance requirements necessary to uphold security protocols.
We’ve provided five steps to get you moving to conduct an internal security audit that will provide a return on your investment:
- Define Your Audit
- Define Your Threats
- Assess Current Security Performance
- Prioritize (Risk Scoring)
- Formulate Security Solutions
Define Your Audit
What does it mean to define your audit? The first step of an auditor is to define the scope of your audit. In other words, write down a list of all your assets. These assets include computer equipment and sensitive company and customer data. It also includes items the business would require time or money to fix such as important internal documentation.
After you have built a lengthy list of assets, you need to define your security perimeter.
What does it mean, define your security perimeter? In other words, separate your assets into two lists: things you will audit and things you won’t audit. Choose your most valuable assets.
Define Your Threats
The next step is to take your list of valuable assets and run a list of potential threats to those assets.
This can be diverse in range for instance, poor employee passwords, protecting sensitive company, customer data, to DDoS (Denial of Service) attacks, and can even include physical breaches or damage caused by a natural disaster. Importantly, as long- as the threat can legitimately cost your business money, it must be considered.
Below is a list of common threats you need to think about:
- Negligent Employees: Your employees are your first step of defence. Firstly, are they trained to notice suspicious activity (ex. phishing). Secondly, do they know the security protocols laid out by your team? Finally, are they using strong passwords or just reusing personal passwords, to protect your sensitive company accounts?
- Phishing Attacks: Breach perpetrators are increasingly turning to phishing scams to gain access to sensitive information. Over 75% of phishing attacks are financially motivated.
- Poor Password Behavior: Leveraged in 81% of hacking-related breaches, weak or stolen passwords are the #1 method used by perpetrators.
- Malicious Insiders: It’s hard to imagine, but always possible that there is someone within your business or misuse sensitive information.
Insider Threat Report (2018) – get your free 34-page report now.
- DDos Attacks: A distributed denial-of-service (DDoS) attack is what happens when multiple systems flood a targeted system (typically a web server) and overload it, thus rendering it useless.
- BYOD (Bring Your Own Device): if your business allows staff to BYOD consider the risk as the attack surface for perpetrators is larger. A device that has access to your systems needs to be accounted for, even if it’s not owned by the business.
- Malware: Incorporates a number of different threats, such as worms, Trojan horses, spyware, and includes an increasingly popular threat: ransomware.
- Physical Breach or Natural Disaster: The consequences of a physical breach or natural disaster on a business can be incredibly expensive.
- Assess Current Security Performance
The third step is to make an assessment, now that you have your list of threats. Firstly, you need to evaluate the performance of your existing security structures. In other words, take an honest look at your security performance of yourself, and your team.
This is the step where an external audit can provide valuable, because they have no internal biases affecting the outcome of the audit.
Being honest in your evaluation is critical to the legitimacy of your internal security audit.
Perhaps your team is great at monitoring your network and detecting threats, but not good when it comes to using strong passwords. If there is a weakness in your defence, it’s in your best interest to make the necessary improvements to secure your business against any potential threats. Your organization’s ability to firstly, defend well against certain threats or secondly, keep valuable assets well protected is crucial for the next step.
Prioritize (Risk Scoring)
Prioritisation is key for the next step. But just how do you prioritize?
Look at your list of threats and weigh up the potential damage of that threat if it happened against the chances that it will occur. Give a score for each. For example, a natural disaster can wipe out any business (high risk score), but if your business location is in a place that has never been hit with a natural disaster the chance score is low.
Importantly, remember to think about the results of your current security performance assessment when scoring relevant threats in order to make improvements. (step #3)
Secondly, take a- look at additional factors such as the
- History of your organization: Has your business experienced a cyber-attack or breach in the past?
- Current cyber security trends: What threats are growing in popularity, and which are becoming less frequent? What new solutions are available to defend against certain threats?
- Industry-level trends: Maybe you work in the finance sector. What types of breaches are more prevalent in your industry? How does that affect staff education or your data, and the likelihood of a breach?
- Regulation and Compliance: Does your organization store and/or transmit sensitive financial or personal information? Are- you a public or private company? What kind of data do you handle? Who has access to what systems? The answers to these questions will impact your risk score for threats and the value you are placing on particular assets.
Formulate Security Solutions
The final step once you’ve prioritised your list of threats is to write down a set of corresponding security or best practices for improvements. This list will become your new to-do list for the coming weeks and months. Below is a list of common security solution ideas for you;
Employee Education Awareness: Half of company executives haven’t implemented an employee security awareness training program within their business. This is an enormous problem considering employees are reported to be the weakest link in your network security. In other words, create training material for new employees and updates for existing ones. This generates employee awareness around security best practices such as how to spot a phishing email.
Email Protection: Phishing attacks are increasingly popular today and getting harder to spot. If clicked, a phishing email will open the door to your data via software installation. Spam filters do help. So does being able to Identify emails as “internal” or “external” to your network just to let employees know where emails are coming from.
Password Safety and Access Management: Passwords need to be strong. In other words, complex and unique to each account. How are we able to remember so many passwords? To combat password overload, most people reuse them or store them in unprotected Word docs or notepads. It’s a good idea to start using a password manager such as LastPass, to eliminate password reuse, and increase password complexity. And to ensure sensitive accounts are only available to appropriate personnel, you can manage who has access through the admin section. Another good idea is to use two-factor authentication for an additional layer of security.
Network Monitoring: Perpetrators can try at times to gain access to your network. To protect against them gaining access, is to use network monitoring software. This software alerts you of any questionable activity, and unknown access attempts. It keeps you one step ahead of any harmful intruders. These software systems, for instance Darktrace, offer 24/7 protection and use artificial intelligence to help identify cyber- crimes.
Data Backup: Your Data is important without it your business is likely to stop. So, it’s amazing how many companies forget this simple step of data backup. Get in the habit of backing up your data. Ensure your data is safe and separate in case of a malware attack or a physical attack to your primary servers.
Software Updates: Importantly, secure your access points by keeping everyone on your network on the latest software. Do these software updates manually, or you can use a software like Duo. Duo keeps your sensitive accounts locked to employees whose software isn’t up-to-date.
Your Internal Security Audit is Complete
If you have followed these five steps, you have now officially completed your first internal security audit. Well done! Your first security audit is always kept as a baseline for measuring your success and the only way to truly assess performance.
Most importantly, auditing regularly is a process that needs constant review and improvements for your security. And as a result of continuing to improve your methods and process, you’ll create an atmosphere of consistent security review. Putting you in the great position of protecting your business against any type of security threat.
Need help beyond this?
Then talk to us about our proven Cyber Security Benchmark Assessment – which is trusted by leading ASX-listed firms who rely on it for their auditing purposes.