21 October 2021
Security Assessment, Security Audit, or Penetration Test: What Does My Business Need?
When it comes to preventing cyber-crime, knowledge is power. The better you can understand the way your business uses technology, and the risks in your environment, the better your chances of presenting a strong defence. As IT environments become more complex, getting a complete picture requires specialist cyber-security skills, but these are in short supply. Many businesses turn to a security assessment, security audit, or a penetration test, but what does each process involve?
What is a security assessment?
A security assessment involves a skilled security engineer conducting a high-level assessment of your organisation’s security posture. At TechPath, we call this a ‘Cyber Alignment Review’, because we also consider the impact of your security arrangements on your unique business situation. On completion of the security assessment, we report our findings, providing a detailed risk register that outlines cyber-security risks, impacts, mitigation strategies and recommendations for improvement.
The assessment process answers four fundamental questions:
- Australian Signals Directorate (ACSC): how well do we meet the Essential Eight guidelines for core security controls?
- People: what human risks and weaknesses exist that increase cyber threat?
- Technical: what are the current limitations of the IT systems and technology?
- Policies: do organisational policies regarding information protection, governance, and disaster recovery planning involve unacceptable risk?
What is a security audit?
Our security audit covers every element of the security assessment, plus it takes a more in-depth look at a customer’s technical environment. After establishing the current state, our security expert works with the customer to determine appropriate frameworks for measuring the organisation’s security stature. The current situation is assessed against key security principles, such as CIS, Zero Trust and Principle of Least Privilege. Your network is thoroughly scanned and reviewed, then findings are compiled into a final report that recommends any changes needed.
What is a penetration test?
A penetration test simulates a real-world cyber-attack against an organisation. It probes what information is publicly available, and where an organisation is vulnerable or exposed. After conducting a penetration test, the TechPath engineer returns a report outlining the outcome. The methodologies used to exploit systems are provided to the organisation, and this can be helpful in achieving a better understanding of cyber-security risks. A penetration test does not take the same in-depth look at risk or provide the level of detailed recommendations of a security audit, but it can be a good way to demonstrate that problems exist, or to justify further exploration.
Why are you asking?
While organisations around the world grapple with a pandemic, cyber-crime has also reached epidemic proportions. The Australian Cyber Security Centre (ACSC) reported a 13% jump in reported cyber-crime in FY 2020/21, following a record-breaking previous year. A lot of organisations approach us when they have been breached or experienced a data leak, while others are concerned about protecting intellectual property. A growing trend is the requirement for small and mid-sized businesses to demonstrate compliance as the condition of a tender, especially when bidding for government business. Cyber insurance cover also typically demands meeting certain standards, and the last thing any organisation needs is to find after an attack that their coverage is void.
Given the current landscape, it is always a good time to be thinking about security, but if you have made recent changes, such as refreshing infrastructure or moving to the cloud, it is especially important. The ideal frequency of security reviews varies according to the organisation, but it is worth remembering that best practice changes as technology develops.
What is the difference and what is best for my business?
Assessments are a great starting point. They help business and IT leaders to understand the organisation’s security posture. This is an effective way to get an overview of the current status, and helps the business decide where to focus security efforts. However, since assessments offer a high-level look, they may not highlight all areas of concern and risk.
Because they delve deeper, security audits provide more detailed recommendations to help secure your business. If you want to understand all current risk, and achieve optimal protection, this is the best option.
A penetration test is commonly requested for compliance, to get management buy-in, to check services on a regular basis, or after changes to the IT environment. They check an organisation’s external and internal resilience but provide less detailed recommendations than a full security audit.
We use a simple questionnaire that can help you to decide whether a security assessment, a security audit, or a penetration test will cover the elements you need. Reach out to TechPath’s friendly security experts to discuss your desired outcome, and we will be happy to help you to find the best path forward.