If your company does not yet conduct internal cyber audits to assess and manage your cybersecurity risks, it’s time to start. For those businesses that do, it is equally important to promptly address any vulnerabilities that are detected.
The City of Atlanta recently learned the hard way how important it is to head the warnings of a cyber audit. The city was recently hit by a ransomware attack that The New York Times called “one of the most sustained and consequential cyberattacks ever mounted against a major American city.”
According to media reports, Atlanta officials were warned last summer that the city’s IT infrastructure was vulnerable to attack. An internal audit found, "the large number of severe and critical vulnerabilities identified has existed for so long the organizations responsible have essentially become complacent and no longer take action."
The audit further stated, "departments tasked with dealing with the thousands of vulnerabilities ... do not have enough time or tools to properly analyze and treat the systems."
Conducting an Internal Cyber Audit
While creating a cybersecurity plan is critical to safeguarding your company, testing for effectiveness and efficiency is equally important. After all, it’s far better to discover your weaknesses in a test situation rather than in real life.
When conducting a cyber audit, be sure to take IT, business, and legal concerns into account. Audits, which often require the assistance of outside professionals, must be comprehensive enough to address all points of entry. Below are several key areas that should be taken into consideration:
- Systems testing: The most technical part of a cyber audit involves analyzing and penetration testing all of your internal and external systems. Auditors will also test that software and data updates are being performed; cybersecurity is incorporated into application and software development; and existing IT controls can address new and emerging threats.
- Data protection: The audit should also evaluate the management and protection of PII (Personally Identifiable Information) data and intellectual property including trade secrets. For instance, physical and logical security controls should be established at all sites containing PII and other sensitive data. The adequacy of your data loss protection should also be examined.
- Regulatory compliance: As the regulatory landscape continues to evolve, businesses must make sure their policies and procedures are keeping pace. The New York Division of Financial Services cyber-security standard, the Securities and Exchange Commission (SEC)’s latest cyber guidance, and HIPAA are just a few examples.
- Security awareness and training: Your employees can be either an asset or a liability when it comes to cybersecurity. Audits should access both employee awareness and compliance. Common risks areas include the security of employee-owned devices and phishing attacks on corporate email accounts. The overall organization’s attitude towards cybersecurity should also be evaluated. When it comes to corporate culture, complacency at the top can quickly trickle down to the entire business.
- Coordination: Comprehensive cybersecurity plans require coordination across a broad range of departments. The failure to clearly define roles can result in “turf wars.” Conversely, risks can also fall through the cracks if one department wrongly assumes the other is addressing the issue. Audits should also confirm that businesses have procedures in place to keep the board of directors informed about how cyber risks are being managed.
- Third-party risks: If your vendors don’t take the same cybersecurity precautions, your data will still be at risk. It is imperative to require third-party vendors to meet minimum data security standards and also regularly monitor them for compliance.
- Crisis management: Attacks can occur even when businesses have cyber plans in place, so it’s important to verify that your crisis management can quickly restore your operations and communicate effectively with business partners, customers, regulators and the public.
Of course, internal audits can also be invaluable in a number of other related areas, including testing your business-continuity and disaster-recovery plans. To determine if your existing policies and procedures pass muster, we encourage businesses to work with knowledgeable IT and legal professionals.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouse Watch – Where Technology, Politics, and Privacy Collide (http://ewhwblog.com).