How to Audit Your Business for Cyber Security Risks
We spend a lot of time talking to owners and managers of businesses about their IT. You won’t be surprised to hear that the subject of IT security comes up more often than nearly any other topic. Most C-suite level staff have an abject fear of unknowns since an unknown can’t be planned for, and IT security often falls firmly in that category.
How likely are we to be attacked? What form might that attack take? How seriously will it affect my business? How can I prepare and mitigate the damage?
These are all excellent questions to ask and this article will help show you how to create an IT security audit for your small business.
Start by getting organised. To create a solid audit, you’ll need to do three main things.
Create a spreadsheet of everything you have control of that can be used by bad actors.
Broadly, this means creating a list with all the following items.
- Cloud services
- Internet service providers
- Networking equipment
- Server-based equipment (including any network-attached storage)
- Client-based equipment
- Mobile devices and BYO equipment
- Telecommunications equipment
- IoT devices (like photocopiers)
- A list of staff and their access levels
For each of these, you’ll need to add columns for each type of potential attack. These fall into firmware/hardware attacks, software attacks and configuration attacks. For each device, detail in the spreadsheet who is responsible for testing, verifying and installing updates to firmware and to software for each device. Also, include who is in charge of configuring each device and who is allowed to make changes. For network devices, this might be quite simple. For client computers, this could be more complex because different users may be logging on to each.
Once you’ve made this spreadsheet, don’t forget to assign someone to keep it updated.
You must view any device that has unapplied updates as being a potential risk. However, applying updates also carries a risk, so you need to know what updates are available for each device and if they carry security-based enhancements.
Incorrectly configured equipment is harder to spot. The only real way to get this checked is by an in-depth audit from a company with an IT security specialist who understands that particular equipment. One of the reasons Lucidica like to ensure we have a broad range of staff with specialist skills is exactly this reason.
Make a list of all the types of attacks that could affect you, and how you can minimise your “attack surface”.
Time for another list, this time it’s all the ways you might be attacked. This should include;
- Attacks against your website
- Attacks against your cloud services
- Brute force attacks on internal and external services
- Email bourne attacks
- Attacks against your network perimeter (normally a firewall)
- Attempts to phish your staff
- Attacks against IoT infrastructure
- Physical attacks
Each of these should have a mitigation strategy. For example, email bourne viruses need to be circumvented with some form of email scanning technology. Likewise, your website needs to be expertly produced with security baked in. Now, look at what would happen if an attack succeeded. How would each of these attacks affect your business? This could range from a small inconvenience, such as having to take a PC offline for a day to disinfect it, to a total shutdown of your business for multiple days. Plan for multiple agendas. Some attacks will seek to steal data and sell it, while others will seek to encrypt data for ransom. Other’s might simply want to cause widespread disruption or damage your reputation. Being alert to the profile that attacks take lets you customise your strategy and response.
How you’ll continue into the future and how you’ll test your security.
Now, look at your response to each situation you’ve identified in section two. This should include what you’ll do to reduce risk now and in the future (regular updates, password changes, data backup, staff training etc) and how you would respond in the worst-case scenario for each attack.
Don’t assume your backup will always get you out of jail free. Some attacks will target common backup systems or methodologies so they can’t be used for restoration. Also, remember that loss of files is not the same as loss of a database or line of business application.
Lastly, think about how you’ll test and monitor your security. Are staff trained on what to do and what to look out for? Do they know if, in each case, they should sit and wait or immediately turn off their equipment?
Consider if you need to hire a professional to do penetration testing. While this might sound overkill they may be able to spot risks you hadn’t seen and ensure you’ve plugged all the holes correctly.
Having read this you might well be thinking it’s a lot to get done. Yes, IT security is not an easy task but reducing those “unknowns” and having a good idea of where you stand is your best defence.
As a starting point, Lucidica is always happy to audit your whole digital IT estate and let you know the easy, and not so easy, wins you can see in your security. Get in touch with us if it’s something you’d find useful.