While the threat of data breaches and hackers is concerning for your business, knowing you’ve done everything in your power to secure your systems is key to greater peace of mind.
SoGlos spoke to award-winning provider of cyber focussed IT support and consultancy, Optimising IT, about cyber security audits and why putting the right measures in place can avoid hefty repair and recovery costs.
About the expert – Todd Gifford, chief technical officer at Optimising IT
Specialising in all things cyber, Todd Gifford is an ISO27001 lead auditor with CISSP (Certified Information Systems Security Professional) certification and over 20 years’ experience in IT – including seven at Optimising IT.
Through his blogs, he is regularly invited to join in panel discussions on the latest cyber security trends so is ideally placed to advise businesses on best practice.
For more information, visit optimisingit.co.uk.
What does a security audit involve?
Security audits can focus on a single website or e-commerce provider, or be more wide-ranging, encompassing all things IT and data.
One or more common standards may be used for comparison with your organisation’s current approach, such as Cyber Essentials or ISO27001.
They can also be 100 per cent bespoke and include technical security testing, if required – it all depends on the context and risk level of your organisation.
As a construction firm or a distribution company for example, your information security risk profile will be very different to a government contractor or an organisation that holds medical records.
Why is auditing important?
Year on year, we see the scale and impact of cyber-attacks increasing. Whilst most attacks are financially motivated, how cyber criminals extract money from your organisation can have a devastating effect on operations and potentially lead to a loss of reputation, as well as regulatory fines.
Many organisations have had their operations impacted for months on end and some have failed as a direct result of a cyber-attack.
As with many things, prevention is better than cure.
Who should be implementing them?
Any organisation that uses computers and data to operate would benefit from a detailed understanding of its current cyber approach; that is most organisations.
The critical outputs from any security audits are:
• A clear, business-focused overview that enables the top-level management to make informed decisions about improvements,
• A detailed report indicating the areas reviewed and their status,
• Clear, easy to follow actions to improve the organisation’s cyber security.
How long does an audit take?
Depending on the scope of the audit and the size and complexity of the organisation being audited, it can take between two days and two weeks.
Typically, most audits we carry out for mid-sized organisations take five days, with additional time for any technical or penetration testing activity.
What does a good audit look like, in terms of findings?
A good audit identifies information that wasn’t previously known. In turn, this enables organisations to make informed decisions about making improvements to mitigate risk.
Audits often get a bad rep, but they are simply a structured way to identify facts that are used to inform the decision-making process.
How often should you have a cyber security audit?
The world of cyber security moves quickly and organisations evolve with new systems, suppliers and business operations.
The audit frequency depends on your organisation’s requirements, but we would recommend at least an annual review to ensure everything is on track.
Do these audits need to be outsourced, or can they be done in-house? Who is qualified to conduct them?
A competent and experienced auditor should always complete audits. An external auditor ensures a quality outcome with up-to-date advice; it also helps to ensure impartiality.
If you have a large enough team with the right skills, a mix of internal review and use of an external consultant offers a good mix of value and impartiality.
How do you go about organising an audit and what needs to be done in preparation?
If you haven’t carried out a cyber security audit before, here are the key steps we recommend:
• Find a partner that you can work with,
• Work with your internal teams and your chosen partner to identify the scope of the planned audit,
• Schedule the audit. Typically, at least the IT team or IT provider will have a large amount of input into the process, but other departments and key staff will also likely need to be involved,
• If the agreed audit scope follows a well-known standard, such as Cyber Essentials or ISO27001, typically, an audit questionnaire can be shared ahead of the audit to enable information gathering and preparation.
Your chosen audit partner should provide you with an easy-to-follow guide about the steps any audit will take and what is needed from you to make it a success.