There’s no doubt that cybersecurity presents a sizeable and growing risk to many companies. Regulators, investors, media, and other stakeholders are often aware of such risks and will want to know how a company manages these risks. Of course, board members and company chiefs must oversee any cybersecurity risk management program, and as part of this work, they should initiate robust auditing methods. If you have responsibility for cybersecurity and protection, how can you step up these audits at your firm?
Cybersecurity challenges of remote work
In the wake of the pandemic, more employees than ever are working from home, a trend that will likely continue. Unfortunately, remote working may significantly increase the risk of a cybersecurity breach due to several factors.
For example, many companies do not have a written remote work policy to help each individual address the risk. As such, there may be no backup, media storage, remote access, and information handling rules. Such a policy should insist that workers keep their devices separate and never mix business and pleasure on a particular machine. It could champion the use of a VPN.
In addition, some workers may need to be made aware that they need to install updates as soon as they become available, which may lead to security flaws and other potential gaps. Remote workers may be unaware of the potential for phishing scams, which have increased since the lockdown. A careless click could compromise the entire system.
Auditing for security
Even though companies may have a remote work policy in place (or be willing to create one), it’s still not a good idea to be passive. This is where a cyber audit comes in, as it can continually evaluate the potential for cybersecurity incidents.
Best practices for cybersecurity audits
Cybersecurity is not simply a technical challenge; the risk is highly personal. The individual employee is often the weakest link; thus, audit programs must focus on the workforce.
A robust approach to understanding your organisation's vulnerabilities is a crucial starting point, and it has three distinct stages:
Stage 1: Workshop - Conduct a detailed workshop with you to understand in detail your current IT, network and infrastructure along with your controls, systems, and processes.
Stage 2: Technical Analysis & Audit - We will conduct the technical analysis and cyber audit of your controls and systems using international best practices and next-generation security implementation solutions.
Stage 3: Report & Presentation - Following our assessment of our audit findings, we will prepare a comprehensive Cybersecurity Audit report. We will present this report to you and, where necessary, include a recommended phased remediation and implementation plan.
Once an audit is complete, the company should have some actionable insights to help decision-makers identify vulnerabilities and base their strategies. They can pinpoint areas that are particularly vulnerable and create training campaigns, policies, and procedures.
Who should audit?
Cybersecurity expertise is the only option to ensure you have a clear view of your organisation's vulnerabilities. A professional security audit, conducted to a global standard, is called a CIS Audit (Centre of Internet Security). This approach determines the risk profile and provides valuable insights into potential vulnerabilities. Since this approach was developed by the cyber community and based on actual threat data, they are an authoritative, industry-friendly, and vendor-neutral approach to assessing and auditing security. Most importantly, they are up to date, given the ever-evolving nature of cybercrime. The CIS Controls are considered an international-level collection of best security practices.
There is no set standard for frequency; the approach is best considered per industry sector. After an audit, most prudent organisations opt to have their organisation monitored continuously, given it’s a low-cost and most effective approach to mitigate threats for business leaders.
Structuring your audit reports
Once the audit is complete, the information will be in an actionable, structured form. It will contain a solid executive summary and a meaningful analysis of each finding rather than simply presenting the output as gathered.
The report should include any figures used in the audit and suggest remediation guidance rather than simply pointing out any security gaps.
The summary written for both technical and board teams will explain the significance of the findings, especially in the context of recent events or current threats.