A Guide to IT Security Audits

Cyber Security

If you are one of those companies putting off your IT security audit, what are you waiting for? With cybercrime at record levels, and new viruses finding their way onto the internet every day, now is not the time to be scrimping on your cybersecurity.   

Why you need an IT security audit

Even the largest companies fall prey to cybercrime and are vulnerable to never before seen viruses. But while many companies focus on checking the software and hardware, along with their general systems, they often forget one important factor in IT security – humans. In fact, the ICO now states that 88% of UK data breaches are the result of human error.

While most companies do have ‘in-house’ IT staff and security, it may well benefit your company to have an external IT security audit done. While internal teams have a clear perspective on their own IT security, they may lack the bigger picture that an external and independent auditor can provide.   

The Process

It is vital that IT security audits are tailored to the organisation, the needs and also the potential risks involved. The kinds of risks faced by companies involved in the financial sector vary greatly to those involved in manufacturing or distribution. Clearly defining the risks, but also your own weaknesses will prove to be hugely beneficial in the long run.   

Each IT security audit should be tailored to the individual businesses, but typically should involve the following.

An initial consultancy

The first stage should be an in-depth evaluation of the company and its current IT security systems. It’s important to build a clear and accurate risk profile of the business, involving day to day operations, security checks already in place and potential growth. Once this has all been compiled it makes it much easier to step back and assess weak points within the company.

Vulnerability checks

While cybercrime may be growing, so is the technology used to fight back. IT infrastructure should be checked extensively using the latest software available, which allows security gaps, malware, viruses, and faulty devices to be identified. Once they are found it’s important to dig deeper to identify just how much, and what kind of a risk it may pose to the company.

If your company handles payments through credit or debit cards, a PCI scan, which detects fraudulent activity,  is an absolute must.    

Reviewing procedures

As mentioned earlier, 88% of data breaches come down to human error. It is a vital part of your audit to investigate internal policies already in place, how effective they have been in the past, and where potential issues may lie going forward. This stage should also cover how data is stored and backed up, but also who is ultimately responsible for it. Staff training and procedures must be scrutinised carefully, with employees tested on what procedures should be untaken should the need arise.

Reporting the findings

It’s important to consolidate all of the information found in the audit, both positive and negative and how they affect the company’s security. Once this has been done it becomes much easier to make concrete recommendations for the future. No company likes being told that their IT security is inadequate, but short term discomfort will likely lead to long term peace of mind. But of course, the audit is only half the battle. Once the findings have been presented, it’s important to take immediate action to address the problems which have been highlighted.

Follow up and retesting

You would be surprised how many companies quickly move on after making the recommended changes. Let’s be clear here, cybersecurity is an ongoing battle, and to stay ahead of it needs constant supervision and updates. Once your company has enacted the changes needed, retest your system shortly after. Everything from hardware and software to employee training should be scrutinised for at least a second time. If problems are again flagged, they have to be addressed immediately. A company’s IT system is not secure simply because they have had an audit, they are secure once the company passes the follow-up test.

Bearing in mind how quickly cybercrime is changing, we recommend implementing these checks on a 6 month to a yearly basis. Also, remember that new employees joining the company must be trained to the level of existing employees. If they are not, then gaps in your system will begin to appear immediately.   

When is the best time for an audit?

While an annual IT audit is highly recommended, there are always situations when an additional audit might be worth implementing.

Any significant alterations to a system should be followed by an audit, be that new hardware or software. A new system might look impenetrable but it is also likely to experience teething problems. Other reasons to audit include: 

After the hiring of new staff. Incredibly this is an area that many companies fail at implementing properly. A wonderful meeting on IT security in May means absolutely nothing if half of your workforce changes in November. It is the responsibility of the company to be aware of which staff has received the relevant training.

After an office move. We’ve all done an office move. It can be a manic time when things can easily fall through the cracks. Whether it is systems not being set up correctly again, or simply missed procedures in the chaos, companies are particularly vulnerable at this point.

After an acquisition or merger. Again, this may sound obvious but a surprising number of companies fail to make the relevant checks at this point. You are essentially gaining a section of business, and it’s important to integrate it quickly into your IT security system.    

Computers in the City, your IT Security Audit

Computers in the City is London’s longest standing IT partner. With over 20 years’ experience, we can assist you to meet your IT support, digital security consulting and cloud computing needs. We’re proud to be local, offering 24-hour support in straightforward language that takes the stress out of IT support.