Many companies assume their systems are secure, but this is difficult to know without performing regular in-depth audits of your security. And it's not simply a requirement for your IT department either - security is the responsibility of all employees but the fact is, you're unable to have a security baseline without an audit. Security audits are complex, time-consuming and then the data needs to be interpreted and fixes need to be made. So, how often should you audit your cyber security and who is best placed to do it?
What's the difference between a Special and Routine Audit?
A routine audit is an automatic method IT teams use to perform auditing activities. It can include control and risk assessments, for example. This is done on a more frequent basis and is more about regular maintenance, whereby technology plays a key role to help automate the identification of certain patterns or anomalies an organisation might be looking for.
How often should IT managers perform routine audits?
The decision on when to perform a routine audit is your decision as an IT manager. You might choose to perform them monthly, quarterly or bi-annually. However, it's recommended that at a minimum, these audits are performed at least twice a year.
The length of time between audits obviously depends on how big your organisation or each individual department is. Other determining factors include the level of complexity of your systems and the type of information you hold - such as highly confidential data - along of course, with how invested the organisation is in cyber security.
A special audit takes places in an organisation under a certain circumstance and uses advanced technology to focus on a particular area once an event has occurred, such as a data breach.
A special audit is important in this case, as a data breach might take place one day after the routine audit has been performed. The next routine audit could be in the following quarter which means your organisation could be left more vulnerable. Instead, a special audit would take place after this or a similar event to analyse the situation and the systems in order to implement or suggest fixes much quicker.
Special Audits (anything other than routine) should be performed under the following circumstances:
- After a security incident or breach
- After a system upgrade or new installation
- After changes to compliance laws
- When your business grows by more than five users
- When you've had a business merger
- When you've had a digital transformation
- When you've implemented a new system
What software is available for cyber security auditing?
There are several dozen popular commercial network and computer security auditing programs available, all creating an abundance of useful information with which to improve your security. It's complex to understand what these systems are telling you. It's one thing having a system in place, providing you with a plethora of data and information, but not very effective if you're unable to action the analysis you find.
Who should audit your cyber security?
There are two options here. You can either choose for your IT department to perform these audits, or you can take the recommended route of outsourcing cyber security audits to a third-party. The best option is most likely a combination of the two, especially since a reliable third-party partner will work alongside your in-house team.
This approach enables your organisation to benefit from having a company that employs expert IT auditors whose purpose is to tortuously assess the programs and operations of an organisation. Their primary function is to analyse your organisation's IT system hardware and software programs and will even work with your company on-premise to assist with IT needs.
Therefore, it's important that you're working with experts who will maintain the regular operations and minimise risk when it comes to technology-related hardware, software and IT equipment within your organisation. It's vital to ensure that you only work with auditors or outsourced cyber security companies that possess high-level, core skills. These include:
- The ability to perform regular, in-depth risk assessments
- Internal audit experience
- High interpersonal and communication skills
- Experience in security testing within organisations
- In-depth knowledge of IT security and infrastructure
- More than basic knowledge of various operating system platforms
- The ability to write in-depth, clear reports
- Highly analytical with the ability to use relevant software efficiently
- Completed IT auditing certifications and qualifications, such as ISO27001
It can be an exhaustive task trying to find employees who excel in each area, which is why it's more efficient to work with an external company who already employ experts in this field.
How is an audit performed?
Many IT managers use an automated program to gather information on the internal networks and the exterior Internet subnet. Although these audits can be done by your own team or by an external vendor, it is not recommended that your in-house team performs these audits unless you are absolutely certain they are experts in this field. It's also highly recommended that you aren't choosing a vendor that you are currently doing business with.
The problem with internal audits is that if your IT professionals aren't used to doing them routinely, they may not check all of the components of your network. Missing one server can be detrimental to your security - so it's vital that you hire a team of experts, especially when it's as important as your organisation's internal and external security.
Why should I outsource my audits?
- Your IT team may understand how to interpret the data, but do they know how to action it
- Do they know how to prioritise what steps should be taken first?
- Do they know when you'll need additional scans?
- Do they know how to set up a security benchmark?
If you can answer 'no' to any of these questions, then you need a third party or external vendor to perform your security audits.
Many companies may consider these audits an unnecessary expense that can be done internally. However, take into consideration the number of people you have on your internal IT team along with how much you are paying them. If it was to take them approximately three days to perform these audits and action them, you could be spending a vast and unnecessary amount.
That's why it's often beneficial to outsource - your IT team can continue with their day-to-day tasks, while an external partner can use their expertise to perform the audits. But you can't just hire any third-party company. For example, one company's internal audit vendor ignored a direct VPN connection on their internal network and dial pool that was bypassing a firewall. Instead, the same vendor was replacing functioning internal network equipment because of "vulnerable" firmware whilst a security threat spread through their network from a remote office connected via a VPN.
Again, it's all about understanding how to interpret that data.
How do I find a company I can trust?
There is no one-size fits all advice, but look for a company that has trusted partners that you can name and a track-record for service delivery. The first step is to assess your security landscape and perform a vulnerability assessment of your network. Outsourcing your IT security audits can yield benefit, without increasing risk and cost to your organisation but it's critical to first understand the baseline - what and why you are outsourcing.
Why not download our free vulnerability assessment sample here to see the kinds of data you can get back.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24x7x365 from our ISO27001-accredited UK Network & Security Operations Centre (NOC/SOC).
At the heart of Comtact's security operations lies a layered suite of technologies, integrated with the newest cutting-edge security solutions - to extend security intelligence and provide visibility beyond the reach of the everyday analyst - helping secure some of the UK's leading organisations.