In life and business, many tasks can be divided up into things you can control and things you can’t control. In the search engine optimization world, you can’t control when Google may release an update and tank your rankings. In sales, you have a level of preparation over your sales pitch. You can’t control what the client will say to you (unless you slide them a couple of front-seat tickets to the upcoming concert).
Your IT security, however, is one area that you need to be in complete control. You don’t want to leave your business’ security up to chance or hope. Attacks can happen at any time and they can be costly. Even if they weren’t costing you six figures (or more), can you afford to spend lots of money on something that shouldn’t have been an issue anyway?
In order to make sure that you are safe from any potential breaches or attacks, you need to be performing regular IT security audits. Today, we’re going to go over what an audit is, how often you need to perform one, and the important items you need to make sure are on your checklist.
What is an IT Security Audit?
When it comes to your business, there are plenty of audits you can (and should) be running. SEO audits, content audits, network audits, and of course, the ever-fun third-party financial audits. All of those are important but perhaps none are more important than your IT security audit, usually performed by a professional security auditor.
Within an IT security audit, there are two primary assessments. The first of which is the review of automated assessments. This involves an examination of system-generated reports, software reports, server changes, and file settings.
The second part, and the more laborious of the two, is a manual assessment of well, just about everything else. That involves physical hardware examination, vulnerability scans, access control review, resource overview, and even interviewing employees.
An IT security audit is a large process and is not something that can be done within a week. For some businesses, it’s a multi-day and even multi-week undertaking.
Why is this Assessment Important?
You can probably guess that one of the most important parts of such an audit is finding security issues and patching them quicker. However, there are also a number of other benefits that come with regularly-performed audits.
#1-It Helps Streamline IT Work
After an audit is complete, the report can tell you which areas need improvement or closer examination. This lets IT personnel make proactive decisions to their network and security instead of always responding to attacks. If everyone has their work set for them ahead of time, maintaining security and dividing up tasks will be more efficient and boost productivity.
#2-It Helps Explain IT Costs
The financial auditors aren’t due here for another month, why are we talking about money?
Hopefully, your company hasn’t experienced a data breach or security issue. If this is the case, there might be others in the company wondering why so much money is being spent on network infrastructure security. We haven’t had an issue in a decade, what’s the point of allocating X amount of dollars to our security? Would that money be better spent in another area?
These audits can show that such expenditures and justified and necessary to safeguard an organization. Plus, they can show the potential of what might happen if such measures were taken away.
#3-It Promotes Teamwork
While your IT staff is in charge of everything from setting up people’s emails to network security, they cannot always be a watchdog ensuring that everyone is adhering to security guidelines. In order for implementation to be successful, everyone needs to buy into the basic ideas of security.
An audit can help show workers in various departments the primary areas of risk and what actions they should be mindful of. While they might be tired of hearing warnings and advice through company emails, an audit will give them something a bit more tangible to see.
How Often Should a Company Do IT Security Audits?
Generally speaking, you should be conducting this type of audit at least once a year. Some may prefer to do it more, such as every six months or even once a quarter. If you do decide to do them on a more frequent basis, then you’re going to find possible security holes or other issues quicker.
More often than not, the size of a business is what will determine the frequency of such audits. Large companies with thousands of employees may take weeks while a small company with a handful of employees can be completed in a matter of days.
The IT Security Audit Checklist
Alright, we’ve covered the basics of an IT security audit, let’s move onto the checklist. Dust off your clipboards, notebook paper, and #2 pencils, let’s get started!
Start at the Beginning
Before you jump right into solving security threats, you need to get a bird’s-eye view of the company’s security plan. Read over what the security policies are, how employees are trained on them, and how often they are reminded of such policies. You should review business processes such as disaster recovery plans, restoration paths, and response plans for a cybersecurity attack.
You’ll also want to have a comprehensive list of what software and hardware a company has and who has access to these devices.
Going through the policies and framework first will ensure that security measures are in line with business objectives. The last thing you want to do is go through with an audit only to have it hinder business efficiency. Your objective should be to make things more secure without disrupting everyday activities.
If this is the first time you’ve performed such an audit with this company, you’re going to want to see the last audit and its findings as well as actionable steps the company took.
You can consider this as a “Step Zero”. It’s quite important, however, so you can lay out a plan of attack and gauge which areas you will have to focus your efforts on.
Discussion with Management
One might think that a security audit is simply testing systems and interacting with computer software and hardware, but there is a personal element to the whole process. Part of this goes hand-in-hand with Step Zero above, but it’s also necessary to find out the goals.
- Is there one area of particular concern?
- What do they expect the audit to find?
- Have there been any significant issues in the past?
- Are there any current threats out there?
This way, you uncover many issues before they pop up and surprise you later. You might also find out if there have been recent employees who have left that never had their credentials revoked or a former disgruntled employee who has access to sensitive data (like a certain Bruce Willis film).
Remember, management may not be IT experts and what seems like a harmless issue to them could be such a huge red flag.
Find Potential Threats
There is no shortage of threats, but there are some major ones that you need to keep your eyes out for.
One of the most common threats is malware. This includes your spyware, viruses, worms, and ransomware. One of the biggest recent attacks was WannaCry, ransomware which infected thousands of computers worldwide. The vast majority of computers affected were ones that had not been updated to Microsoft security patches or were end-of-life machines.
You should also be on the lookout for DoS (denial of service) attacks. DDoS attacks (targeted at multiple systems instead of one), are on the rise and some of the larger-scale attacks have brought down the internet across the country.
Other areas of concern include data leaks, social engineering, and account hijacking. These are often the result of negligence or poor decisions by users, showing just how important it is for all members of an organization to be on the same page when it comes to security.
Additionally, you’ll want to perform a physical check as well. Make sure server rooms are locked, rooms are safe from unauthorized users, and items such as shredders and dumpsters are secure to prevent divers.
Security Performance Evaluation
There are a few things you should be checking out when it comes to security performance. The first one is the most basic: password testing. While long, super complicated passwords aren’t a necessity anymore (the guy who invented them even apologized), they do need to be unique.
Make sure users are using long and unique passwords for their log-ins. At the very least, ask them to ensure their personal and work passwords differ.
The second, a security framework review, is used to identify the security measures currently in place. That means first checking out which devices need protection. Typically, that involves checking devices, emails, software, and the network people are working on. If your company is remote, this presents a bigger challenge. Workers may be using their own personal devices and their home internet.
One of the most important parts of the evaluation is what we like to call “rockin’ the boat” (not just because we’re big fans of Stubby Kaye’s rendition of the song in Guys and Dolls).
You need to carry out penetration testing and a security awareness assessment. You should be testing how current employees respond to email scams, carrying out simulated attacks on the system, and testing employee security knowledge. Sometimes, this involves an actual white-hat hacking attempt. Just beware, however, that this could end with serious repercussions.
Plan a Defense Strategy
Now that you have identified threats and performed a successful evaluation of your security, it’s time to set up a defense plan in the audit report.
At the top of your strategy to-do list should be monitoring tools. Set up a monitoring schedule and testing for all aspects of security. Having these in place will make future audits that much easier.
What your defense strategy will look like is going to differ on the threats you’ve found. If DoS attacks are becoming more frequent, then you should look to strengthen your network infrastructure. If devices are being infected with malware, then look at how to upgrade your virus protection.
Lastly, part of your defense strategy should be planning future security audits. Will you be doing them quarterly? Bi-annually? Annually? Whatever your plan is, stick to it and keep detailed records of your findings and changes. Track progress over the year as well to make sure your recommendations are having their desired effect.
What About Special Audits?
Sometimes, even with the most diligent of preparation, a security breach can occur. When that happens, should you perform an audit right away or simply investigate the issue?
It’s highly recommended to perform a full-scale audit as the breach may have uncovered an issue that wasn’t obvious during the first audit. In addition to sporadic or new attacks, you should also make sure and perform an audit if one of the following occurs:
- System upgrade
- Sudden business growth (more than 5+ employees or contractors)
- Loss of multiple employees (especially if those employees had sensitive information)
- Business acquisition or merging
- Business re-branding
- New software implementation
You want to make sure your security is not compromised when there are big changes to your business. Start off with the right foot.
One of the most important things you can do for your business is to perform routine IT security audits. It can be hard to look at our flaws but by being diligent about internal performance, you can catch errors, resolve issues, improve security, and educate employees on the best practices.
A security audit is not one area you want to take lightly. While you should be performing internal audits, the best way to make sure you’re getting the results you need is to hire an expert. Here at Atiba, we have been helping companies with technical and IT audits for years. We have an experienced team ready to help you make your business more secure.
Reach out to us today for your project quote. We look forward to hearing from you!