Getting the Most from an IT Security Auditpay

Guest post by Julie Brown

If you’re running a small business, or you’re responsible for the IT department of a larger enterprise, then the best thing you can do before this year is out is to perform an IT security audit.
A security audit is an easy thing to overlook when everything is so busy, but hackers and criminals never slack, so you should always be on the lookout for exploits and vulnerabilities.
Here’s how to get the best out of your next audit:

Define what you want out of it
Your audit must be as thorough as you can make it. It may, if you’re a small business, be a good idea to make use of the UK’s free service Cyber Essentials to look at your security. At the very least, you need to list the things that need to be examined – all computer equipment and terminals, machinery and anything else that’s networked.

Define the threats
You need to know your enemy – you’re looking for hackers, malware and viruses, as well as slapdash employees who don’t think before opening that unexpected-but-amusing attachment or who still use Password1. There’s also the threat of physical damage – are you in a flood zone? Has there been a spike in break-ins recently?

Learn from previous mistakes
Look at what past audits have highlighted, as well as previous breaches or recurring issues to see if you can eliminate them for good. Past challenges can point to the future – looking at what happened and how you resolved the problems is very instructive. If you got hit badly by a virus last year, make sure that you’re stronger this year, for example.
You shouldn’t forget about old-fashioned threats like fire, either – start a programme of scanning important paper documents and storing them in a cloud.

All of your assets are valuable, but some are invaluable – prioritise the assets you need and value the most and take your biggest and first steps against the likeliest and biggest threats. Your customer database is vital and a likely target, so aim there first. Leave tornado, volcano and asteroid protection until later.

Make a control list
It's an unpleasant fact, but you need to face it head-on; one of your biggest threats comes from within – your own employees. You shouldn’t give out sensitive information willy-nilly to staff unless they need to know, so limit access to mission-critical information.
By making a control list, you can see if someone’s tried to get into restricted files. If it happens just the once, then it’s most likely an accident, but if there’s been repeated attempts within a small timeframe, then someone’s up to no good and you need to take swift action.

Bring in intrusion protection
Once you have your control list, you can monitor your network and set up alerts which go to the appropriate staff if there are any intrusions. You can install 24-7 protection, as well as up-to-date firewalls and the latest antivirus and antimalware systems.

Look after your emails
Emails are the easiest way into your network – countless spam emails are fired out daily, trying to get people to download dodgy attachments. Your outgoing emails should also be encrypted so they’re not “open” to hackers and employees should practice good email hygiene.

Get physical
You shouldn’t forget about physical threats like break-ins. Someone could steal a laptop or a tablet and download your information that way. Make sure your physical office is well-protected and that all work devices are encrypted and password-protected, right down to the oldest smartphone in the building.