The Annual Security Audit Myth
"Great company, great products, great leadership, great people, great culture!"
"I love my team and peers. We are family, and we respect each other."
"NetDocuments encourages a good work/family balance."
"I feel respected and valued by leadership and my team."
"We work together and support/encourage each other to do our best work every day."
"From start to finish, my leaders are willing to guide me and let me try new things. This keeps work fresh, exciting, and fun so I don't burn out or get bored."
"I have clear direction in my work tasks and priorities. I also feel encouraged to put my family first and maintain a healthy work life balance."
"I work with highly motivated individuals who are smart and allow me to learn from them!"
"NetDocuments is committed to exceeding customer expectations by building leading products hosted in rock-solid environments."
"I'm empowered to try new things and think through processes and campaigns strategically. I can lean on my boss for support, but I'm not micromanaged, which is appreciated."
The nature of cyber and network security is that you can never relax. The moment you think you’ve covered all potential vulnerabilities, a multitude of new threats emerge.
Cybersecurity is broad, fast-moving and always growing. Because it’s so vast and the stakes so high, those concerned with maintaining security have a tendency to fall into a key myth of cybersecurity: “We are doing fine as long as we pass our annual security audit.”
This way of thinking occurs when cybersecurity is approached with a checkbox mentality. If you approach cybersecurity as a list of items you can check off and then relax, you’re definitely not safe.
Companies such as Equifax, Target, and Home Depot completed necessary audits pertaining to their industry prior to their high-profile data breaches. The security audits are necessary to keep accountability but are part of a larger system. It’s best to approach cybersecurity as a constant process, rather than a destination you can reach.
How often should a security audit be performed?
Recommended to do it at least 2 times a year but will also depend on the size of the organization and the type of data you are dealing with.
Going beyond the annual audit
Create a map of your entire network
The first step in leveling up your security measures is to start with your own network. Rather than starting with the requirements of the audit, you should do a comprehensive mapping of everything connected to your network.
An audit will give a detailed checklist of items to answer. Are firewalls up to date? What are your threats? This checklist will be useful. However, it’s not going to give a full picture of your network or the ability to create segmentation in your network.
This map would include:
- Routers, switches, firewalls, WAF
- Printers and connected devices
- Internet of Things (smart TVs, thermostats, cameras, etc.)
- Mobile devices
- Cloud/Saas - your software subscriptions and passwords
Developing a full map of your network is the beginning of enhanced network security. Seeing the full picture of your network allows you to apply segmentation. Since you can’t focus on all things at once, creating segmentation allows you to keep vulnerable parts of the network separate from your most crucial data.
You can also systematically patch and assess areas within the network, moving from one segment to the next. This allows you to cut through the overwhelm of cybersecurity and eat the elephant one bite at a time.
Know where you could be weak
After you’ve mapped the network, the next thing you’ll need to do is prioritize your effort. According to a 2017 Verizon report, 80% of hacks are successful due to a lack of patching.
You’ll need to build a plan to assess and patch vulnerabilities. This is another reason why segmentation in your network is important. If you have legacy systems, you may not be able to patch them. However, you can keep them separate from sensitive information in your network.
As you deploy a vulnerability scanner, you can keep up to date on where the patches are needed and prioritize the segments of your network that are most important.
Build a user awareness program
The only threat more pressing than patching vulnerabilities is your people.
The human element continues to drive breaches. Whether it is the use of stolen credentials, phishing or simply an error, people continue to play a large part in incidents and breaches alike.
According to the same Verizon report, 80% of hacking-related breaches employ reused, stolen, or weak passwords. There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years.
Hackers know teams are investing in cybersecurity. Their best chance of getting into the network is to gain the credentials of someone who has permission to access the network. Therefore, no matter how well you’ve protected your network, if an employee’s credentials are stolen, you can be at risk.
Your user-awareness is not going to come through in an annual audit but could put your data at risk. To make sure your entire team is following best practices, there are a few tips you can employ.
Send out a monthly security newsletter: Speak openly about the threats that exist and take the opportunity to teach one component at a time
Educate users on how to protect their personal data: As you educate your team, connect these cybersecurity issues to the real threat that exists in their personal lives. As they are educated on best practices to protect themselves and their families, they will apply better habits at work.
Perform phishing campaigns: Human curiosity leads people to click on links, which lead to problems. Some companies have their own fake phishing campaigns to test and train their employees. The goal is to create a little bit of healthy paranoia so users will hesitate before clicking on any link.
Invest in a password vault: Weak and stolen passwords are a critical component of cybersecurity. Using a password vault allows your team to have strong passwords without the constant frustration of forgetting them.
Establish an Ongoing Process To Protect Your Business
Annual security audits are useful for company’s to assess their cybersecurity and ensure a baseline level of protection is in place. However, IT departments should not fall into the trap that passing the audit means everything will be safe.
In the fast-moving cybersecurity world, threats are everywhere. The best approach is to build an ongoing process of evaluation and improvement.