What is a Cybersecurity Audit?
A cybersecurity audit is used to detect and assess the existence of cybersecurity controls.
What are Cybersecurity Controls?
Cybersecurity controls are principles and tools aimed at securing a company's digital assets.
Cybersecurity controls can be broken down into several categories generally recognized within the industry:
- Operational Controls | These controls include the human aspects of cybersecurity and aim to address needs such as personnel training, permission management, and access logging.
- Technical Controls | These controls include hardware and software infrastructure limiting access to unauthorized users - encryption, authentication, access control lists, firewalls, etc.
- Physical Controls | These controls include physical security that protects digital assets from being compromised by bad actors. Ex: fences, gates, security keys, etc.
- Administrative Controls | These controls are policies implemented by the management teams and govern the security culture of the business. They’re the rules and regulations that dictate ownership and expectations and set goals for the overall organizational evolution of cybersecurity.
- Detective Controls | These controls are the protocols and procedures triggered by an abnormal event. For example, if there’s a breach, a detective control can be used to mitigate the damage and shut down certain parts of the infrastructure.
- Other Controls | Depending on the organization, you’ll find an extensive list of controls that will address other cybersecurity defenses. An excellent place to start to learn more is the ISO 27001 standard.
What is the Purpose of a Cybersecurity Audit?
As mentioned above, the main goal of a cybersecurity audit is to identify and qualify the current cybersecurity controls in place.
Why do we care about this information?
An organization's maturity level will typically dictate the level of risk they’re willing to be exposed to and the level of protection they need to mitigate this risk. In other words, depending on the company size, industry, projects, and the nature of their business, it’s important to benchmark their cybersecurity efforts against similar players in the industry and understand if they’re ahead of behind.
With this information and knowledge, the company will choose to assess their need to change, involve other 3rd parties to bring them up to standard, or simply expose themselves to the risks they deem acceptable.
A cybersecurity audit will uncover current best practices and provide a path forward in the upcoming years. It will identify areas that need more attention, can be corrected quickly, and can be improved with a small capital / human investment. They’ll prioritize these categories based on industry knowledge, previous assessments, conversations with the management team, company culture, etc.
What’s the Difference Between Internal and External Cybersecurity Audits?
Companies have the option to conduct an internal audit or to bring in external consultants. External auditors come at a premium. However, they’re often skilled in their craft, have extensive experience in cybersecurity across multiple verticals, and are impartial in their audit.
Internal audits must be part of your core requirements when it comes to cybersecurity. They’re used to identify misses in your company's controls and pinpoint fundamental areas of improvement your organization needs to address.
Based on our experience, external auditors must be brought in regularly. The industry standard is once a year. Smaller companies may conduct a thorough cybersecurity audit once every two to three years.
How to assess the competence and fit of an external auditor?
Only some consultants will fit your business. It’s essential to have an understanding of their experience, their industry knowledge, and their capabilities. During the discovery phase, ask questions to understand their involvement in the projects. What part did they play in the assessment? Who conducted the audit of their organization? Will it be them or a new hire that just joined the industry? What do they typically provide their customers with? Can they forward you a previous report they produced? Are they involved in the implementation process, or do they leave after the audit? Can they provide references for their previous work?
The 3 Best Cybersecurity Risk Assessment Tools
Cybersecurity risk assessment tools and frameworks are often used for internal and external cybersecurity audits. They dictate the cybersecurity audit process, requirements that must be met, and methodologies used to identify the risks involved at every stage.
We’ve compiled a list of tools that we believe every cybersecurity professional should be aware of and discuss with their auditor when considering having an external party for the job.
Network Security Assessment
A network security assessment aims to identify vulnerabilities of technical nature in the IT infrastructure. Some examples include improperly configured firewalls/access control lists (ACLs), applications exposed to external traffic, misconfigured access points through which it’s possible to access the intranet, rogue devices that haven’t been disabled, etc.
The two main components of a network security assessment are vulnerability and penetration. A vulnerability assessment is a defensive audit that will scan network devices and software. This activity will identify best practices to configure the devices, which pathways exist between hardware and software components, which patches need to be applied, etc. A penetration test is an offensive activity - a skilled contractor will attempt to break into the organization and see to expose holes in the infrastructure. The goal here is to identify which methods can be easily used to access and disrupt business operations. The results of penetration tests can be used to increase defenses in key areas.
It’s important to understand that no system can’t be compromised. It’s always a question of how difficult it will be to break into the system, how we can mitigate the threat once it is detected, and what we can do to reduce the damage this attacker will inflict once they are inside.
Social engineering is the practice of obtaining key information that allows one to access the network infrastructure. In simple terms, bad actors are finding ways to access critical components of a business by manipulating employees. Their tactics may include phishing emails, phone calls, mail, physical means, etc.
A staff assessment aims to identify your employees' level of training and awareness. Are they equipped with the knowledge to detect phishing emails? Do they freely share their credentials with others? Do they understand best practices when it comes to external hardware and software? Will they willingly communicate any sensitive information to external parties?
As remote work opportunities rise worldwide, malicious intent to gain access to an organization has increased. As lines between work and personal devices blurred, it has become easier to con employees into installing software, sharing their credentials, and accessing their data over unsecured networks. Those who have been given the privilege to work from home need to understand their responsibilities regarding cybersecurity.
What does an assessment entail?
We’ve seen many organizations deploy various cybersecurity training programs as their employees transition to remote work. Every department must conduct periodic audits to ensure that the materials have been understood. We’ve seen a few approaches on how these activities are conducted:
- Surveys & Quizzes | Many tools have been developed to “softly” assess employees through surveys and quizzes. The goal isn’t to have them sit through an extensive exam but to send them an occasional question with up to four answers. Each question is used to gauge their understanding of a certain cybersecurity measure they have been taught in their onboarding.
- Phishing Emails & Mock Social Engineering Tests | Several organizations have adopted ways to automate phishing emails for those that have been training. Now and then, the organization would send an email with a “suspicious” link following current best practices. If an employee clicks the link, the cybersecurity manager can statistically identify gaps and propose a re-training plan for a specific group/department.
- Remote Desktop Monitoring | While you must follow strict monitoring laws that govern the conduct in your jurisdiction, it’s possible to utilize tools that will uncover activities that may compromise your company conducted by your employees - Ex: connecting to unsecured networks, connecting unknown hardware and installing software that contains malware, visiting websites that cybersecurity organizations have blacklisted, etc.
NIST Framework Assessment
The US government developed the NIST Framework to equip organizations to combat cybersecurity threats such as ransomware. The idea of the framework is to provide an easy-to-digest approach to cybersecurity so that companies that don’t have highly skilled teams can still protect themselves.
NIST Step 1 - Identify
The first step of the NIST framework is to conduct a cybersecurity audit. As we previously discussed, the first step in every organization should be to establish a clear understanding of our current best practices and protocols.
NIST Step 2 - Protect
The goal of the second step is to create the first layer of defense against threats. The actions are broken down into the following categories - manage access to assets and information, protect sensitive data, conduct regular backups, protect your devices, manage device vulnerabilities, and train users. As any user will notice, each item is vaguely defined within the framework. What this means is that any organization can use it as a starting point but will need to identify what every item means to them. For example, “protect your devices” for an e-commerce company may indicate a protocol for disabling USB ports of employee laptops. In contrast, the same notion for a manufacturing company may imply that they need to physically secure their production lines from access by outsiders through the use of barriers, employee identification cards, etc. In other words, the framework needs to be adapted to the user.
NIST Step 3 - Detect
The detection of cybersecurity threats varies from organization to organization. From our experience, most organizations are reactive, although they have essential tools to identify the status of their systems. Those that heavily invest in digital assets have automated means to detect breaches and typically react promptly as breaches arise. However, that’s the exception, not the norm.
The four detection categories within the NIST framework are testing and updating detection processes, maintaining and monitoring logs, knowing the expected data flow for your enterprise, and understanding the impact of cybersecurity events.
NIST Step 4 - Respond
As breaches occur, it’s important to have a reaction process. What’s the protocol to follow during a breach? Is there a response team that must be reached? What procedures do they follow once they are notified of a cybersecurity failure? The key components of a response step based on a NIST framework are to ensure response plans are tested, update response plans, and coordinate with internal and external stakeholders. The overarching principle is simple - establish guidelines and keep them up to date.
NIST Step 4 - Recover
During an incident, it’s likely that you’ll have to shut down a portion of your infrastructure to mitigate the attack, and some of the components may be compromised despite the measures taken. Regardless of the damage, it’s important to have a recovery plan. Who’s in charge? Which steps must be taken to ensure the compromised infrastructure won’t propagate the virus? How do we test and bring our equipment/software back online?
The key concepts under these steps are ensuring recovery plans are up to date, communicating with internal and external stakeholders, and managing public relations and company reputation. It’s important to note that when major incidents occur, the information that leaks about the incident may be as damaging, if not more, as the incident.
Conclusion on Cybersecurity Audits
In conclusion, it’s important to conduct cybersecurity audits regularly. By themselves, they aren’t the answer to all cybersecurity-related issues. Their goal is to provide a means to understand the program's current state and create an action plan to mitigate certain deficiencies based on the threat they pose.
As a starting point, we recommend that every organization consider one of the three frameworks we covered for their cybersecurity audit - Network Security Assessment, Staff Assessment, and NIST Assessment. We recommend that every organization start with an internal audit to understand its cybersecurity best practices fully. Once that is complete, we recommend looking into a 3rd party evaluation. The benefits are an unbiased external opinion and industry expertise.