While cyber security has never been a static priority, the past year has taught us just how drastically the risk landscape can change, and how much we need to continually reassess security best practices.
After all, this twelve-month period alone has seen a 400% increase in cyber attacks, with data security coming especially under fire as 62.4% of organisations fall foul to sophisticated phishing attacks and ransomware that feels impossible to foresee.
Unfortunately, this landscape of change comes at a challenging time. Not only are organisations struggling to accommodate remote working, but economic pressures are complicating making the necessary investments. 61% of UK businesses were experiencing IT skills shortages even pre-pandemic. Unfortunately, many teams lack the time and skill sets to shore up risks in an ever-changing threat landscape. However, effective auditing skills can help you focus on the right things, and make the necessary changes to minimise risk without overrunning costs.
Here at Six Degrees, we work to address both the cyber security skills shortage and rising risks with on-demand audits and solutions to suit every need. We can ensure that you stay on the pulse and help you undertake a cost-benefit analysis approach to cyber security in order to make the right investments today. The question is, what exactly do auditing best practices look like in 2021 and beyond?
Additional resources: If you need help communicating your post-audit strategy to the board, check out our free resource — Board Presentation Toolkit: Cyber Security and Threat Management.
What is a Cyber Security Audit?
Quite simply, a security audit is a comprehensive review and analysis of your business’ IT infrastructure with an aim to understand, manage, prioritise, and mitigate risks. Expertly executed audits should forever sit at the centre of your cyber security solutions, answering questions about data storage, priority assets, and acceptable levels of risk, ensuring a range of different business essentials, such as:
- A more effective security posture
- Increased data security
- Data compliance
- Dynamic threat management
- Cost-effective solutions at all times
The Different Types of Cyber Security Audit
Audits aren’t a one-fit solution. Rather, there are different types of cyber security audit, each of which focuses on very different priorities. The types that you’ll most commonly have to choose between are:
- One-time audits for companies looking to introduce new software/get a grip on new risk landscapes.
- Tollgate audits or ‘go or no-go’ audits that determine whether a new process or procedure can be introduced.
- Portfolio assessments which are regularly scheduled audits that pit existing security processes against current risk and business climates.
By using a combination of these audit types at different times, you will be able to focus on the specific goals of your organisation and use audit results for the right reasons.
Cyber Security Auditing Best Practices 2021
Undertaking an effective cyber audit requires understanding best practices. We believe that there are four critical steps to this process.
Step 1: Find the right auditing professionals
Having access to the right skills is critical to even being able to embark on an audit. Historically, cyber security audits have been done in-house. But this brings challenges recruiting and retaining the right people.
The 2021 landscape presents new risks on an almost daily rate. As well as highlighting the need for security audits in the first place. If you don’t have the right people in-house, looking at managed cyber security partners is a great place to find talent. What’s more, outsourcing these tasks allows you to only pay for those cyber security professionals when they are needed — rather than recruiting and building an in-house team that you will have to pay for all of the time.
Step 2: Define your parameters
Each type of audit focuses on a very different aspect of overall security, which is why it’s also fundamental that you know what you’re assessing.
Keep your overview too broad, and you might as well not conduct an audit at all, resulting in lost money and wasted time. Rather, you need to make sure that you understand both what you’re assessing and what falls within that by asking questions including:
- What are you hoping to gain?
- Which assets are relevant?
- What’s your present security stance (appetite for risk, disaster backups, etc?)
- Where is your data stored right now?
- How does all of this relate to the current risk landscape?
As well as helping with asset arrangement, answering these questions can guide you towards the auditing standards best suited to your needs, because there are differences here, too. Most notably, businesses need to decide if they want to address and monitor concerns with their internal controls (SOC 1 Type II), or focus on addressing and monitoring how a service organisation’s controls are relevant to security (SOC 2 Type II). In the vast majority of cases, both standards will be necessary at some stage, but taking one priority at a time is always best for inclusive findings before moving onto the next.
Suggested reading: For more information on these different types of audits, check out our case study — Six Degrees Successfully Completes SOC 1® Type II and SOC 2® Type II Audit Examinations
Step 3: Understand current threats in context
Once you know the parameters of a risk audit, it’s fundamental to understand the current threats that exist within those parameters, and how likely each is to occur. To begin with, this means brainstorming threats that pose the highest risk factors to data in general. So, in 2021, areas of focus might include:
- Phishing attacks
- DDoS attacks
- Human error
- System failures
You then need to put your accrued risks into context to ensure that you can use this information to develop responsive security solutions. Primarily, this means narrowing down your hypothetical list to identify real risks or ‘vulnerabilities.’ Then, it’s time to take things one step further by understanding the nature of these vulnerabilities.
- Systematic vulnerabilities: Most commonly identified using penetration testing, these
are gaps in your security and information systems that hackers could exploit, leading to data breaches.
- Environmental vulnerabilities: These are security gaps, such as human error, that could accidentally leave data at risk, most commonly addressed by up-to-date monitoring of existing and arising risks.
With regards to your audit, this extra level of context is especially useful for ensuring you use the right auditing methods/focus to achieve realistic security improvements that meet risks on the ground, all while keeping security costs to a minimum.
Suggested reading: For more information on how to assess the vulnerabilities and priorities of your organisation, check out our blog — How to Conduct a Cyber Risk Assessment.
Step 4: Remember that cyber security isn’t a destination
As you record your findings, it’s fundamental to remember that cyber security isn’t a destination, and audits are no exception to that rule. Apart from one-time assessments as touched on above, which are predominantly necessary with regards to new software, etc., companies need to implement regular auditing processes at least annually, or perhaps even more with the current speed at which threats are evolving.
It’s then essential to ensure that those audits are not siloed events in the cyber security calendar, but rather that they’re put to good use for ongoing security changes that forever keep your security landscape up to date, ensuring that your time and investment into audits in the first place is definitely worthwhile. Specifically, audits should inform viable actions moving forward including:
- Increased training
- Ever-shifting security processes
- Adherence to current compliance standards
- The ability to do less with more
Here at Six Degrees, we have the tools to simplify audits so that you don’t have to worry, with some of the highest regarded penetration test teams in the industry. This and our focus on security monitoring within an ongoing security cycle ensures that you can not only improve security infrastructures but also that you can forever do more with less by honing in on risks in real-time.
Our stress-free, cost-effective solutions will certainly free you to focus on your business, while we keep security in check. Get in touch if you want to learn more, or check out our blog — The Six Degrees Approach to Cyber Security — to learn more about what we offer to our clients, and how we can enable you to maintain operational resilience in today’s hostile digital landscape.
Subscribe to the newsletter today
2008 legislation that requires all UK public sector