Some notes from the trenches this week; we’ve seen a definite increase in the number and frequency of our clients (and organisations in general) conducting cybersecurity audits. In some cases this is linked or related to the quest for cybersecurity insurance, and in others it is just plain good corporate governance at work. Either way, regular audits are highly advisable, routinely necessary, and a foundation stone in enduringly good cybersecurity. And governance, of course.
Now, you don’t need me to tell you the depressingly familiar story of cyber risk if not constantly increasing, then certainly being something of a constant. Our industry does tend a bit toward the hyperbolic, so I prefer looking at the threat landscape as something of a constant rather than a burgeoning tower of Babel with no end in sight. Easier to merely accept ‘yes, these things happen all the time, and also yes, it can and probably will happen to me/you at some point’.
What that point is, and how it happens, is really the open question. It is also this question that a regular security audit directly addresses.
One of the patently obvious things about infosec risks is that they evolve. Paradoxically, even as new and exciting (not necessarily in a good way) threats emerge, is that a lot of the old and plain dull ones persist. You know what I mean: a good old DDoS attack, an unpatched Windows 7 machine lurking somewhere in the background, the 12345 password to a crucial server, and the toughest gap to plug of all, human error.
Old or new, a hack is a hack. And defence is always tougher than attack, because you must be prepared for anything, while the hacker only needs one successful tactic. You cover everything, they focus on that one thing that gets them in.
Coming back to security audits, then. We all know complacency, along with the constantly shifting sands of attack vectors, is among the most significant risks faced. The guard must always be up, because if it isn’t….
And that’s the crux of a regular audit. Defined as a systematic, measurable technical assessment of how your organisation’s security policy is employed, it is part of the ongoing process of defining and maintaining effective protection against if not all threats, then those identified in your policy as most relevant.
It isn’t just a technical exercise, though. It’s also an exercise in visibility, plainly and prominently putting infosec on the agenda – and as organisations like the Institute of Directors have to their credit stressed for years now, it should be part of the Board agenda as well as the operational one.
What ‘regular’ means isn’t the same for every organisation. A charity, for example, might be as legitimate a target for a hacker as a bank, but the budget and priority of security measures won’t be the same. This doesn’t mean there shouldn’t be any difference in the ideological approach, but it may well require a different cadence.
We generally start with a recommendation of a quarterly review and a full scan of systems, processes, and people. The point of course is identifying any weaknesses, shortcomings, or vulnerabilities, so the budget – whether large or small – is focused and directed where it makes the most impact. Nothing astonishing there; it is a matter of measurement, really, and as we know, that which isn’t measured can’t be effectively managed.
One final note on audits is that they benefit you as well as everyone else. As I’ve noted previously, infosec isn’t unlike housebreaking on any given street. The least-defended targets are the low-hanging fruit for the miscreant; when all houses are secure, so is the entire street. By taking care in your infosec, you’re taking care of your community.
And being a good corporate citizen is being a good neighbour. Always a good thing.