Many companies assume their systems are secure, but this is difficult to know without performing regular in-depth audits of your security.
And it's not simply a requirement for your IT department either - security is the responsibility of all employees but the fact is, you're unable to have a security baseline without an audit.
Security audits are complex, time-consuming and then the data needs to be interpreted and fixes need to be made. So, how often should you audit your cyber security and who is best placed to do it?
What's the difference between a Special and Routine Audit?
A routine audit is an automatic method IT teams use to perform auditing activities. It can include control and risk assessments, for example. This is done on a more frequent basis and is more about regular maintenance, whereby technology plays a key role to help automate the identification of certain patterns or anomalies an organisation might be looking for.
> How often should IT managers perform routine audits?
The decision on when to perform a routine audit is your decision as an IT manager. You might choose to perform them monthly, quarterly or bi-annually. However, it's recommended that at a minimum, these audits are performed at least twice a year.
The length of time between audits obviously depends on how big your organisation or each individual department is. Other determining factors include the level of complexity of your systems and the type of information you hold - such as highly confidential data - along of course, with how invested the organisation is in cyber security.
A special audit takes places in an organisation under a certain circumstance and uses advanced technology to focus on a particular area once an event has occurred, such as a data breach.
A special audit is important in this case, as a data breach might take place one day after the routine audit has been performed. The next routine audit could be in the following quarter which means your organisation could be left more vulnerable. Instead, a special audit would take place after this or a similar event to analyse the situation and the systems in order to implement or suggest fixes much quicker.
> Special Audits
(anything other than routine) should be performed under the following circumstances:
- After a security incident or breach
- After a system upgrade or new installation
- After changes to compliance laws
- When your business grows by more than five users
- When you've had a business merger
- When you've had a digital transformation
- When you've implemented a new system
What software is available for cyber security auditing?
There are several dozen popular commercial network and computer security auditing programs available, all creating an abundance of useful information with which to improve your security. It's complex to understand what these systems are telling you. It's one thing having a system in place, providing you with a plethora of data and information, but not very effective if you're unable to action the analysis you find.
Who should audit your cyber security?
There are two options here. You can either choose for your IT department to perform these audits, or you can take the recommended route of outsourcing cyber security audits to a third-party. The best option is most likely a combination of the two, especially since a reliable third-party partner will work alongside your in-house team.
This approach enables your organisation to benefit from having a company that employs expert IT auditors whose purpose is to tortuously assess the programs and operations of an organisation. Their primary function is to analyse your organisation's IT system hardware and software programs and will even work with your company on-premise to assist with IT needs.
Therefore, it's important that you're working with experts who will maintain the regular operations and minimise risk when it comes to technology-related hardware, software and IT equipment within your organisation. It's vital to ensure that you only work with auditors or outsourced cyber security companies that possess high-level, core skills. These include:
- The ability to perform regular, in-depth risk assessments
- Internal audit experience
- High interpersonal and communication skills
- Experience in security testing within organisations
- In-depth knowledge of IT security and infrastructure
- More than basic knowledge of various operating system platforms
- The ability to write in-depth, clear reports
- Highly analytical with the ability to use relevant software efficiently
- Completed IT auditing certifications and qualifications, such as ISO27001
It can be an exhaustive task trying to find employees who excel in each area, which is why it's more efficient to work with an external company who already employ experts in this field.
How is an audit performed?
Many IT managers use an automated program to gather information on the internal networks and the exterior Internet subnet. Although these audits can be done by your own team or by an external vendor, it is not recommended that your in-house team performs these audits unless you are absolutely certain they are experts in this field. It's also highly recommended that you aren't choosing a vendor that you are currently doing business with.
The problem with internal audits is that if your IT professionals aren't used to doing them routinely, they may not check all of the components of your network. Missing one server can be detrimental to your security - so it's vital that you hire a team of experts, especially when it's as important as your organisation's internal and external security.
Why should I outsource my audits?
- Your IT team may understand how to interpret the data, but do they know how to action it
- Do they know how to prioritise what steps should be taken first?
- Do they know when you'll need additional scans?
- Do they know how to set up a security benchmark?
If you can answer 'no' to any of these questions, then you need a third party or external vendor to perform your security audits.
Take into consideration the number of people you have on your internal IT team along with how much you are paying them. That's why it's often beneficial to outsource to a cyber security specialist.
What's a good first step?
There is no one-size fits all advice, but many companies typically start with a penetration test, or vulnerability scan - as they're great ways to quickly identify critical security threats to your business, plus helping guide a cost-effective improvement programme going forward.
It's critical to first understand the baseline - then you can go from there.
> View a FREE sample Penetration Test report
Take a look at a sample risk-based report to understand the approach, critical security intelligence and actionable steps with our CREST-certified penetration tests.
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.