An information security audit of a company is one of the reliable tools for checking the current state of business information protection, risk management, and identifying potential threats and vulnerabilities of a company. A regular audit of the company's information security allows you to make sure that the information assets of the business are protected and analyze further data protection measures.
According to recently published statistics for the first half of 2022 (CISCO), more than 54% of companies do not regularly audit information security, more than 25% do not audit at all, and 73% of representatives of medium and large businesses admitted that they should have taken care of general information security and safety of confidential company data much earlier.
In this article, we will talk about 5 mistakes in a business information security audit. Unfortunately, a poor-quality audit, as well as the absence of an audit at all, entails the risks of cyber-attacks and information leaks.
When we talk about "an audit of the company's information security", by default we mean internal audit. Internal audit is regulated by internal bodies and services of the company, internal documents and charters and is carried out on a regular basis according to a schedule approved by the management.
An external audit of the company's IS is a check of the IS infrastructure by independent specialists who are given access to the company's internal network under the terms of an agreement concluded with the company. An external audit is carried out less frequently than an internal audit, most often at the request of management, government agencies, shareholders, future owners of the company upon purchase. Attracting professionals for an external audit of information security is a reputational viability and stability of the company. In large companies, there is a staff of qualified auditors who have the appropriate licenses to conduct an audit in the requested area, smaller companies hire auditors from outside.
Since the beginning of 2022, Russian companies have experienced 60% more cyberattacks than in the same period last year, with attacks targeting both public and private companies. For example, Russian Post recently confirmed the fact of a mass leak of user data, the personal data of 25 million (!) CDEK clients also got into the network, DDoS attacks on SPIEF in June were carried out with a capacity of 140 gigabytes per second, Sberbank was subjected to the largest cyber-attack in history, and hackers from the Conti group stole the data of more than 850 Russian private companies - and this is only a small part of the incidents in June-July 2022.
After investigating these cyberattacks, experts concluded that the leak could have been avoided if the company had installed an updated version of security software. In large companies, before installing software or updates, you should check whether the new version will break something important from the information security infrastructure, because if an information security specialist rashly puts everything in a row, this can lead to serious consequences, especially for companies dependent on IT systems.
The company should develop a process for installing software and application updates, indicating the owner of the process responsible for monitoring the installation, a schedule for updating and shutting down with a clear time frame, as well as the priority of updating the information security of the company's systems.
Many companies work with systems that are supported not internally, but by external contractors. In this case, these "gates", which are used to access external services, become an attractive target for hackers. Often, the company's IS administrator writes off suspicious moments in the system's operation just on the activity of the hired services.
To minimize the risk of intruder penetration through the company's contractors, it is necessary to:
A) set up account management for employees and contractors;
B) develop a plan for informing about the need to block the accounts of outsourcers / contractors in case of termination of cooperation;
C) implement a system for managing the work of contractors, providing access to the corporate network for work;
D) implement multi-factor authentication mechanisms for external connections.
Did you know that more than 90% of attacks and information leaks are due to human error? Currently, most companies are technologically equipped to such an extent that we can talk about almost complete protection against data leaks, but the most vulnerable point is the end user - the employee of the company. Employees of departments related to information security, the technical department - know step by step how to behave in case of a risk of leakage, what data can and cannot be shared, what software to use in what situation. And employees, for example, a sales or public relations department, may not delve into the intricacies of working with data and send confidential company data through external communication channels, click on suspicious links and applications from unknown addresses, etc.
When conducting internal and external audits of the company, the overall percentage of the security of information security systems is displayed. “Security” also includes the level of awareness of employees about the risks of working with data and the response plan for cyber incidents. Therefore, if you are not the owner of an IT business, where the vast majority of employees somehow have an idea about the risks of cyber-attacks, you should regularly conduct information security trainings among employees, which will talk about current threats and methods of attackers, including testing that simulates a cyber-attack.
Don't overlook the ports that are used to manage services (for example, SSH = port 22, TELNET = port 23, RDP = port 3389, etc.). Many tools for testing company information security systems for vulnerabilities are available for free, and the vast majority do not require special skills to work, so an attacker, in fact, does not need much time and effort to infiltrate the system.
How it works? If, for example, the SSH port is open, you can use the password guesser and log in. And further damage depends on the training of the hacker. What to do?
A) IT specialists of the company should make sure that the network ports for remote systems management are not available or redefine the access port from the standard to another one, or switch from password access to access using keys.
B) Make sure that all users with administrative rights are assigned by management and there are no extra people with extended access.
C) Reliable anti-data leak software, such as a DLP system, needs to be installed. For example, in Falcongaze's popular DLP SecureTower system, full control of corporate information is achieved by monitoring the maximum number of communication channels and data transfer protocols. After analyzing the intercepted data, if there is a violation of the security rule, the system automatically notifies about the incident with all the information about it.
An information security audit of a company should be the most comprehensive event, where the entire business infrastructure is tested for strength. Currently, no company is completely insured against leaks, so a full-fledged audit is a tool that will help to greatly minimize the risk of an attack. When assigning an information security audit, make sure that you do not forget about the non-obvious errors that we mentioned in this article.