How to Do a Cyber Security Audit

The 2015 Global Audit Committee Survey determined that cybersecurity was the fourth biggest concern for a business, after economic and political uncertainty and volatility, regulation and the impact of public policy initiatives and operational risk. Everybody — from CEOs to ordinary consumers — knows about cyber-attacks on major companies like Target and Home Depot. But despite increased awareness, most businesses aren’t keeping up with the escalation in expertise of cyber villains either due to resources or apathy. As the gap between the abilities of businesses and attackers grows, companies must ramp up their security efforts.

Most businesses have good intentions to improve security. But these intentions sometimes don’t translate into action, especially since it’s hard to form clear goals that track security success. More often, companies assume their security is fine – until a major, costly and embarrassing public failure.

Don’t wait until disaster strikes. Hire experts to audit your security now. If you’re unable to hire outside help, start improving security by performing your own DIY security audit. An audit involves assessing vulnerabilities and forming a plan to keep your company safer. eHHere’s how to audit yourself.

Analyze Past Threats

The past is prologue. Has your company faced certain types of security breaches in the past? Look for signs of weakness, the weakest link is often the first point of entry in 2015. Apply extra effort on strengthening places where past breaches occurred, as you know these parts of the company are historically vulnerable.

Keep Up with Security Trends

Security threats are ever changing as cyber-villains up their game. Stay abreast of threats in your industry. Read white papers, talk to colleagues at professional conferences, check in with your competition. It can be overwhelming, sometimes an expert in network security is needed to fully secure your systems. Develop a working relationship with your rivals, at least as far as sharing information about security risks.

Calculate Risks

How do you calculate risk? Use this formula: Risk = Probability x Harm

For example, something very harmful, but unlikely to happen is not high risk. Nor is something very probable that causes little harm. But combine high probability with very harmful and you have a risk you’d best prepare for.

To assess probability, look at your company’s threat history, threats your competitors have faced and any studies you can find about how other companies deal with threats. To assess potential harm from a particular threat, count up dollar amounts in revenue lost or worker-hours it would take to fix the problem.

This assessment goes hand in hand with identifying your key data. Businesses should focus on protecting their most critical assets.

Create Backups

Most companies fear cyber-attacks. But accidental losses of information are likelier than hacking. This could be as small as a cup of coffee spilled on a company smart phone or as major as an earthquake. Your security audit should check current backup systems. Do you use cloud storage? External hard drives? If you use the latter, are the hard drives stored off premises? In case of theft, fire or flood, onsite external hard drives won’t do you much good.

Tighten Email Security

Most workers know better than indulging in Nigerian banking schemes or giving their credit card number when an email from a distant acquaintance claims she lost her suitcases while traveling in Scotland. But in 2015, hackers have developed more sophisticated ways to phish. Your employees might not be able to distinguish the legit from the bogus. Educate them about the latest phishing schemes. If an authentic-looking email comes from a bank or credit card company, instruct them to call the financial establishment’s official number rather than responding to an email.

Two-factor authentication cuts down on email security breaches. This system requires two factors – usually your username and password combined with access to your phone. You can also enable alerts so you’ll get an email or text notifying you of failed login attempts. If you didn’t make the attempt, you’ll know a hacker may be circling your account. You may also be able to set up a regional filter which blocks access to your account outside of a designated geographic area. This can prevent foreign hackers from gaining access. Working with a company skilled in help desk support can prevent future breaches.

Social Media

The rise of social media introduces even more threats into the workplace. This can happen both through employees using social media on company computers or smart phones, or using their own devices for company information. Either way, if employees click the wrong link, they could accidentally download malware that infects company networks and steals or destroys sensitive client information.  If your employees are using their personal devices at work, your IT department must make sure the devices are protected with malware detection and anti-virus software.

Companies should have social media policies spelling out what is and is not allowed. Employees definitely shouldn’t store or share company data on social media sites. Social media security training is crucial. Companies should also strictly regulate who has access to their official social media accounts.

Prevent Physical Harm

A security audit should cover old-fashioned threats as well as physical theft. How secure is the building? Do you have an alarm system? What safeguards do you provide for employees working late at night? What systems do you implement to prevent employees from stealing sensitive data.

Alarms and video surveillance help prevent unauthorized access to your building. Encrypted hard drives will protect sensitive data on stolen laptops.

Getting it Right

Your security audit must take a close look at all avenues for threats – every device that connects to the internet, your physical space and the training of all employees, not just IT staff. These days, every company, large and small, has become a likely target of cyber-attacks. Focus your efforts on protecting your most critical information assets first. And don’t hesitate to call in the experts for a more thorough security audit. While many businesses think this is a service they can’t afford, security breaches are much more costly than prevention.

Leave a Reply