Businesses often view data security audit as a stressful and intrusive process. An auditor walks around distracting everybody and meddling in regular company operations. The usefulness of conducting audits is also something up for a debate: aren’t regular risk assessment enough to form security strategy and keep your data protected? And if you’re a subject of compliance regulations regarding private data security, then you’ll be facing an official audit sooner or later anyway. Wouldn’t you be better off preparing for that, than doing an IT security audit of your own?
However, in reality, self-audits are very useful, as they fulfill a set of specific goals. Self-audits allow you to:
- Establish a security baseline – results of multiple self-audits over the years serve as a fantastically reliable baseline to assess your security performance
- Help enforce security regulations and practices – audits allow you to make sure that all cybersecurity measures put in place in your company are thoroughly enforced and followed
- Determine the real state of your security and formulate the strategy for the future – audit will show you how things really are in a much more detailed way than risk assessment ever could. It doesn’t just highlight missing stuff, but also takes into account existing processes and shows why and how they should be improved.
All and all, self-auditing is a fantastically useful tool when you need to assess your cybersecurity or make sure that you’re ready for a real compliance audit down the line. It is a good practice to do self-audits fairly often – ideally, multiple times a year.
But how do you conduct cybersecurity audit?
There are a variety of ways to gather the necessary data, such as access management, user activity monitoring, and employee tracking software, allowing you to produce centralized reports for a thorough security assessment. However, it wouldn’t be fair to say that self-audits are without their fair share of drawbacks, and we will touch on them further down as we discuss self-auditing in more detail.
But first, let’s look into pros and cons of each of the two ways you can conduct self-audit.
External vs Internal Audit
When deciding to do a self-audit you can either do it internally with your own resources or contract an external auditor. And the choice between the two is not as cut and dry as one would think. External auditors are great at what they do. They use a set of cybersecurity auditing software, such as vulnerability scanners and bring their own vast experience to the table in order to examine your security and find holes in it. However, the big drawback to them is that they are not cheap, and finding the person with the necessary qualification and experience among the sea of offers can be very hard.
Moreover, the success of such audit will heavily depend on the quality of communication established between your company and an auditor. If an auditor cannot get the right data or getting it late, then audit can drag on, produce unreliable results or bloat in cost. All of this makes external audits a luxury, rather than a permanent solution. They are great to do once a year (if you have the time and money for it), or as a way to prepare your company for a real compliance audit, but doing them every quarter can be cost-prohibitive.
Internal audits, on the other hand, are easy to do, and they can be very effective as a quarterly assessment, helping you to gather data for your security baseline and check on whether the current policies are effective or not. However, the drawback to that is that internal auditors will often lack the experience and tools necessary to match the quality of a professional external audit. However, this in and of itself is not something that can’t be solved by simply hiring the right people and training them for the job.
At the same time, internal audits are not only cheap but also efficient in terms of process. It is much easier for an internal employee or department to gather all the necessary data without the arduous process of establishing effective communication and without disturbing existing workflow within the company. And while internal audits may look complicated in theory, in reality, all you need to do is to complete a series of simple steps and get the deliverables that you want. Next, we will discuss those steps in more detail.
Four simple steps to self-audit
1. Define the scope of an audit
The first thing you need to do is to establish the scope of your audit. Whether you check the general state of security in your organization or do a specific network security audit, third-party security audit, or any other, you need to know what you should look at and what you should skip. In order to do this, you need to draw a security perimeter – a boundary around all your valuable assets. This boundary should be as small as possible and include every valuable asset that you have and that requires protection. You will need to audit everything inside this boundary and wouldn’t touch anything outside it.
The best way to define security perimeter is to create a list of all valuable assets that your company has. This can be fairly tricky, because companies often omit things like purely internal documentation, detailing, for example, various corporate policies and procedures, because it appears to have no value for a potential perpetrator. However, such information is valuable for the company itself, because in case those documents are ever los or destroyed (for example, because of hardware failure or employee mistake), it will take some time and money to recreate them. Therefore, they should also be included in your master list of all assets requiring protecting.
2. Define the threats your data faces
Once you define your security perimeter, you need to create a list of threats your data faces. The hardest part is to strike a right balance between how remote a threat is and how much impact it would have on your bottom line if it ever happens. For example, if a natural disaster, such as a hurricane, is relatively rare, but can be devastating in terms of finances, it may still be included in the list.
All and all, the most common threats, that you probably should consider including, are the following:
- Natural disasters and physical breaches – as mentioned above, while this is something that happens rarely, consequences of such a threat can be devastating, therefore, you probably need to have controls in place just in case.
- Malware and hacking attacks – external hacking attacks are one of the biggest threats to data security out there and should always be considered.
- Ransomware – this type of malware garnered popularity in latest years. If you’re working in healthcare, education or finances, you probably should watch out for it.
- Denial of service attacks – the rise of IoT devices saw a dramatic rise in botnets. Denial of service attacks are now more widespread and more dangerous than ever. If your business depends on uninterrupted network service, you should definitely look into including those.
- Malicious insiders – this is a threat that not every company takes into account, but every company faces. Both your own employees and third-party vendors with access to your data can easily leak it or misuse it, and you wouldn’t be able to detect it. Therefore, it is best to be ready and include it into your own threat list. See a comparison of threat monitoring solutions.
- Inadvertent insiders – not all insider attacks are done out of malicious intent. An employee making an honest mistake and leaking your data accidentally is something that became all too common in our connected world. Definitely a threat to consider.
- Phishing and social engineering – more often than not a hacker will try to get access to your network by targeting your employees with social engineering techniques, practically making them give up their credentials voluntarily. This is definitely something that you should be ready for.
3. Calculate the risks
Once you established the list of potential threats that your data may face, you need to assess the risk of each of those threats firing. Such risk assessment will help you put a price tag on each threat and prioritize correctly when it comes to implementing new security controls. In order to do this, you need to look at the following things:
- Your past experience – whether you have encountered a specific threat or not may impact the probability of you encountering it in the future. If your company was a target of hacking or denial of service attack, there is a good chance it will happen again.
- General cyber security landscape – look at the current trends in cybersecurity. What threats are becoming increasingly popular and frequent? What are new and emerging threats? What security solutions are becoming more popular?
- State of the industry – look at the experience of your direct competition, as well as threats your industry faces. For example, if you work in healthcare or education, you will more frequently face insider attacks, phishing attacks, and ransomware, while retail may face denial of service attacks and other malware more frequently.
4. Devise the necessary controls
Once you established the risks associated with each threat, you’re up to the final step – creating IT security audit checklist of controls that you need to implement. Examine controls that are in place and devising a way to improve them, or implement processes that are missing.
The most common security measures that you may consider, include:
- Physical server security – if you own your own servers, you should definitely secure a physical access to them. Of course, this is not a problem if you simply renting server space from a data center. At the same time, any IoT devices in use in your company should have all their default passwords changed and physical access to them thoroughly secured in order to prevent any hacking attempts.
- Regular data backup – data backup is very effective in case of natural disaster, or malware attack that corrupts or locks you out of your data (ransomware). Make sure that all your backups are done as frequently as possible and establish a proper procedure for restoring your data.
- Firewall and anti-virus – this is cybersecurity 101, but you need to protect your network with correctly configured firewalls and your computers with anti-viruses.
- Anti-spam filter – correctly configured anti-spam filter can be a great boon in fighting phishing attacks and malware sent via email. While your employees may know to not click any links in an email, it’s always better to be safe, rather than sorry.
- Access control – there are several ways to control access and you would be better off putting all of them in place. First of all, you need to make sure that you control the level of privilege users have and that you use principle of least privilege when creating new accounts. Apart from that, two-factor authentication is a must, as it greatly increases the security of login procedure and allows you to know who exactly accessed your data and when.
- User action monitoring – software such as Ekran System makes video recording of everything a user does during a session, allowing you to review every incident in its proper context. Not only is this very effective when it comes to detecting insider threats, it also is a great tool for investigating any breaches and leaks, as well as a great answer to a question of how to do IT security compliance audit, as it allows you to produce the necessary data for such an audit.
- Employee security awareness – in order to protect your employees from phishing and social engineering attacks, as well as reduce the frequency of inadvertent mistakes and make sure that all security procedures are followed through, it is best to educate them on best cybersecurity. Teach your employees about threats that both they and your company faces, as well as measures you put in place to combat those threats. Rising employee awareness is a great way to transform them from a liability to a useful asset when it comes to cybersecurity.
The 4 simple steps mentioned above, – defining the scope of an audit, defining the threats, assessing the risks associated with each individual threat, as well as assessing existing security controls and devising the new controls and measures to be implemented, – is all you need to do in order to conduct a security audit. Your deliverables should constitute a thorough assessment of current state of your security, as well as specific recommendations on how to improve things. The data from such a self-audit is used to contribute to establishing a security baseline, as well as to formulating security strategy of your company.
Cybersecurity is a continuous process, and self-audits should be your big regular milestones on this road to protect your data.