Many organisations think they are safe, and it is only when a significant event occurs that they question their IT security – effectively closing the stable door after the horse has bolted. This happened to one of our clients who lost data last year but is only now thinking of increasing security.
Thing are changing with the imminent arrival of GDPR, and there is an even greater need to undertake an IT security audit and risk assessment so you can implement a robust strategy. We always say it is not a matter of if, but when your system is targeted. According to the DTI on average it takes six months to discover a breach. So why are we making it so easy for the hackers?
A useful metaphor is to think of your IT system as your house. You may lock the door behind you every time you leave home, but if you have not checked all the other doors and windows, your property is still insecure.
IT security audit
An IT audit will help you to establish how effective your security is. We will check an organisation’s security against the 5 pillars of Cyber Essentials to make sure the organisation adheres to them. But even if this is the case, there’s still no guarantee that any of the work has been done. One client, who had a Cyber Essentials certification, thought they had good security in place but our audit discovered that in fact, they did not and had significant security vulnerabilities.
We will also look beyond the system itself, at the security culture of the organisation. We do this by observing the way people work in order to assess the general attitude towards cybersecurity, for example, passwords scribbled on Post-It notes that are kept on the desk are classic indicators of weakness.
One terrible example of poor organisational security came when we were asked to do some consulting for a problem with a client in the oil & gas industry. Our MD talked to the company’s IT manager to make sure he would be given access to the system, and the manager simply emailed him the password for their entire system!
Finally, we conclude our audits with a penetration test that first scans the firewall and internal connections to identify vulnerabilities, then, if requested, exploits them to see if we can get into the system.
A security audit should be an annual event. All companies accept finance audits as part and parcel of the business process and should think of security in the same terms.
The good news for small businesses is that they have the advantage of knowing the extent of their perimeters and can easily ensure they are properly secured. To use the building analogy again, a small IT system is like a house where it is a straightforward task to ensure all the doors and windows are secure; whereas a large IT system is like a sprawling industrial site which needs more time, technology and manpower to make it secure.
If you would like to talk to us about any aspect of your IT security, please contact us to arrange an appointment.