8 April 2021
Checklist: How to Run a Business Security Audit
For every headline about security breaches in corporate and government organisations, many more cyber-incidents occur without the same fanfare. For those whose small and mid-sized businesses are affected, though, the impact is no less severe. The Australian Cyber Security Centre (ACSC) receives a report of cyber crime every ten minutes, and says 62% of small-to mid-sized businesses have experienced a cyber security incident.
One important preventative measure is to ensure your business conducts a regular IT security audit. But what if you don’t have funds for an external expert right now, or would like to narrow down any problems to get the most for any consulting time? It is possible to run a self-audit, either as a precursor to commissioning a third party, or, with sufficient time and expertise, instead. Our security experts have put together a checklist that will help you to outline your current state, then identify and address your IT security priorities.
1. Assess your current state
Start by creating a list on Excel, divided into sections like physical security; admin controls; account management; IT and security policies; app management; data management; cloud; backup; network security (including firewall and wireless); endpoint protection (including software patches, and antivirus); and IT infrastructure. Seek out all relevant information available in each category, so that you build a more complete picture of your environment in its current state.
2. Establish priorities
Rate each section and sub-section from zero to five, first in terms of the impact to your business if a security breach occurs, and second, the likelihood of a breach. This makes a simple way to place security needs in order, so that you can tackle issues with the highest scores first. As you work through your list, consider industry standards and regulatory requirements, and use those frameworks to inform your rating. If you have a cyber security insurance policy, check that you meet all required measures – if the policy requirements are not in place, this could void your coverage, making any breach far more costly. Total the impact and likelihood scores for each item, and use this to form your security plan.
3. Address your cyber-security history
If you have had breaches in the past, ensure you record how they occurred, and check whether any weaknesses were fully addressed. There is typically a pattern. For example, if hackers are exploiting weak passwords, question what can be changed to reduce risk of recurrence.
4. Run a user survey
It is simple to whip up a quick questionnaire using tools like Microsoft Forms or Survey Monkey, and we recommend asking 6-12 questions that will help you to get an insight into user knowledge and behaviours. There are also some great online tools, both free and paid, that can run phishing tests to see which users click on fake emails. This can help you to review your score for the likelihood of an event based on mail scams.
5. Create an application and data checklist
Find out who has access to which systems, and at what level. Review whether the permissions set are still valid. Many breaches happen at the hands of current or former staff, whether malicious or accidental, so it pays to only give the level of access needed, and to include IT security in staff exit processes.
Now you are armed with a more detailed look at your situation, and have identified your priorities, you’re in a great position to determine which of your highest rated priorities you can improve in-house, given availability of skills and time, and where you will need extra help, or a fresh perspective from a security specialist. Even if some of the issues have you stumped, you are in a more knowledgeable position to reach out to an external expert for recommendations and assistance, which can help to keep costs down. If you do embark on an external security audit, you will come away with a readable, detailed report with clear recommendations to address any weaknesses, tailored to your unique business situation.
If you have never done a security audit, given the current escalation of cyber-crime, you should plan to conduct one ASAP. Otherwise, it is worth repeating these checks whenever there is a significant change to your organisation, such as rolling out new software, or introducing a new product range. Otherwise, now you have established your current situation, you should schedule future audits every one-to-two years. If it is in your calendar, it won’t be overlooked
Your security audit can be a great way to help others in your business to understand risks, and while security is top of mind, there are some great online resources to help train users:
As always, your TechPath account manager is a great source of tips, tricks, and up-to-date information about security trends. Follow us on LinkedIn for more security advice and news, or contact our friendly team today.