According to a post on the Cyber Security Intelligence website (https://www.cybersecurityintelligence.com/blog/the-scope-of-a-cyber-security-audit-4734.html) most cyber breaches occur because of a false sense of security. A company may have a firewall and advanced hardware and/or software, but criminals target the weak links - people, processes and procedures.
While cyber risk can never be completely eliminated, businesses need to manage it. The first step to a more secure network is to discover existing vulnerabilities and find solutions through a cyber security audit focusing on standards, guidelines and procedures and implementing controls.An audit goes beyond standard risk assessments to establish security standards; enforce regulations and best practices; and show how current processes are working.
According to PWC, cyber security fundamentals are:
- Understanding the organization's critical information, where it is stored and who has access.
- Understanding the threat landscape.
- A governance framework with executive accountability and organization-wide security culture.
- Operational resilience to minimize the impact of a cyber attack.
- A defined strategy for security investment and regulatory compliance.
There are two types of audit, external and internal. External auditors provide professional expertise and knowledge but at a high cost. Internal audits are easier to manage and have more intimate knowledge of their company, but the auditor may not have the necessary skills.
Whoever performs the audit, it should be done at least quarterly to keep up with security developments. Auditors must consider how an organization is dealing with common threats:
- Careless or poorly trained employees.
- Phishing attacks.
- Weak passwords.
- Insider threats.
- Distributed denial of service attacks.
- Employee devices.
- Malware.
- Physical theft/natural disaster.
I will be posting a detailed list of actions an organization can take to improve cyber security.