Many companies consider auditing in general, and security auditing in particular, as a stressful and intrusive process: the idea of an auditor walking around the premises, distracting everyone and intruding on the day-to-day activities of the company often puts them off from conducting audits.
So what is the real use of these audits? And how to proceed? Answers in this article.
IT security audit
Moreover, the very usefulness of audits is sometimes questioned: isn’t a regular risk assessment enough to develop a security strategy and ensure the protection of sensitive data? Moreover, since companies are now subject to compliance rules concerning the security of private data, they are bound to be confronted with an official audit at some point.
So wouldn’t it be better to wait rather than to perform an IT security audit yourself?
No: audits are very useful, because they provide benefits for a company. The audits allow indeed :
- Establish a security baseline: the results of audits conducted over the years serve as a reliable baseline against which to assess safety performance.
- To verify the proper application of regulations and good safety practices: An audit ensures that the cybersecurity measures put in place in the company are applied and followed to the letter.
- Determine the state of security and formulate a strategy for the future: The audit demonstrates a situation at a point in time, in much more detail than a simple risk assessment. It does not only point out missing elements, but also takes into account the existing processes and shows why and how they should be improved.
Overall, the audit is a useful tool for assessing cybersecurity or ensuring that the company is ready for a compliance audit.
What is a security audit?
A security audit is a comprehensive assessment of a company’s information system: typically, this assessment measures the security of an IT system against a list of best practices, established external standards or legal regulations.
A comprehensive security audit will evaluate an organization’s security controls regarding the following:
- the physical components of the information system
- the environment in which the system is hosted.
- Applications and software (including security patches that system administrators have already implemented.)
- Network vulnerabilities (including assessments of information as it travels between different points inside and outside the organization’s network)
- the human dimension, such as how employees collect, share, and store sensitive information.
1. Define the scope of the IT security audit
The first thing to do is to define the scope of the audit: whether it’s to check the general state of security in the enterprise or to perform a specific network security audit, you need to know what to look at and what to ignore.
To do this, it is necessary to draw as small a perimeter as possible and include all the valuable assets owned by the company that must be protected. The audit should check everything that is within this perimeter, without touching anything that is not.
To define the security perimeter, it is sufficient to make a list of all the assets that the company owns. This is a difficult task, as companies often omit key elements such as internal documentation, detailing the company’s policies and procedures. There is a misconception that these documents are of no value to a potential attacker, but this information is valuable to the company itself, and if these documents are lost or destroyed (for example, due to hardware failure, employee error or hacking), it will take time and money to start over.
Define the threats facing the company
Once the security perimeter has been accurately established, the list of threats that the data contained within it faces must be created. Try to balance the probability of a threat with the impact it would have if it occurred.
For example, the possibility of a natural disaster is relatively low, but can be devastating: it should therefore be included in the list.
The following is a list of the most common threats that should be included in most cases:
As mentioned above, although this is something that rarely happens, the consequences of such a threat can be enormous: better to be prepared, just in case.
Malware / hacking
Hacker attacks are arguably one of the biggest threats to data security and should always be considered in a security audit.
This type of malware has gained popularity in recent years, and deserves its own bullet point in this list, especially if the company operates in the healthcare, education, or financial sectors.
Denial of service attacks
The rise of the Internet of Things has led to an increase in “botnets”. Denial of service attacks are now more prevalent and more dangerous than ever. If the enterprise depends on uninterrupted network service, this is something to consider.
This is a threat that companies don’t always take seriously, but one that all face: employees (or third-party vendors) with access to the IT estate can easily leak or misuse data without detection. Again, it’s best to be prepared for this and include it on the threat list.
Not all data leaks are conducted with malicious intent: there are also clumsy or incompetent/unaware employees who may make a mistake and leak data by accident. This has even become common, and is therefore a risk to be taken into account.
This is similar to the previous point: a hacker can attempt to gain access to a network by targeting employees, using social engineering techniques, inducing them to voluntarily give their login credentials.
This is a threat not to be taken lightly.
Assess the cybersecurity risks
Once the list of potential threats that the data included in the scope may face has been compiled, the risk of each of these threats should be assessed.
This assessment will “price” each threat and allow for prioritization of security points to be strengthened. To do this, consider:
Having encountered a specific threat before (or not) can impact the likelihood of encountering it in the future. If the company has already been the target of a hack or denial-of-service attack, there is a chance that it will happen again.
What are the current trends in cybersecurity? What threats are becoming more popular or frequent? Are there any new emerging threats? What are the best current security solutions?
Are direct competitors under attack, what threats does this industry face?
For example, if you’re in the healthcare industry, you’ll be more worried about phishing attacks or ransomware, whereas if you’re a merchant, denial-of-service attacks or other malware are more of a concern.
Control the company’s IT security
Once the risks associated with each threat have been properly established, this is the final step: create a list of security controls to be put in place. If there are controls in place, they may need to be improved; if there are no controls that respond to a threat, they must be put in place.
The most common security measures are:
Physical cybersecurity of servers
If the company has its own servers, it is essential to secure physical access to them.
At the same time, all of the company’s connected devices should have their default passwords changed and their physical access secured to prevent any hacking attempts.
Data backup is very effective in the event of a natural disaster, or an attack by malware that corrupts or blocks access to data (ransomware).
All backups should be made as frequently as possible, and accompanied by a recovery procedure.
Firewall and anti-virus
It’s basic cybersecurity, but you need to protect the network with properly configured firewalls, and computers with anti-virus.
A spam filter can be useful to fight phishing attacks and malware sent by mail.
Even if employees are properly trained, and know not to click on links in a suspicious email, it is best to be cautious.
There are several ways to control access and it is best to implement all of them. First, control the privilege level of users and adopt the “least privilege” principle when creating new accounts.
In addition, two-factor authentication has become essential, as it greatly enhances the security of logins and provides a record of who accessed the data, and when.
In order to protect the company from phishing attacks, to reduce the frequency of errors, and to ensure that security procedures are followed, it is best to train employees in cybersecurity.
Educate employees about the threats to them and their company, as well as the measures in place to combat those threats. Educating employees is a great way to turn them from a “weak point” to a strength.
You now know the different points to study when auditing the IT security of your company.
Have you identified vulnerabilities? Cybersecurity experts can help you better secure your information system and identify weaknesses in your network.