Are your information technology (IT) systems up to snuff? Do you have the right security in place to protect the proprietary data of your business? Is your business employing measures to protect itself that meet the requirements for your cybersecurity insurance? When it comes to everyday threats, is your organization truly protected?
If the answer to all of these questions is no or I don’t know, then it’s time for you to conduct an IT audit of your business systems and networks. To begin, you’ll need to survey all of your controls to ensure everything is up to snuff. This will determine where your company sits with its IT and cybersecurity and what needs to be addressed to provide the best protection against cyber threats while protecting your data from malware, ransomware, and more.
Starting with a Cybersecurity Survey
The first step to conducting a thorough IT audit is taking a cybersecurity survey. This will help determine what security measures you already have in place and whether they are applied consistently across your systems. ORAM Corporate Advisors offers a free online cybersecurity survey to get you started at https://www.surveymonkey.com/r/R9NZJZF.
Email Scanning and Protection
The survey will review a multitude of items. Email security is one topic that must be addressed. A third-party assessor such as ORAM Corporate Advisors will want to know about your email from whether you tag external emails to alert employees that the message originated from outside your organization to if emails are prescreened for malicious links and attachments. The capability to automatically evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end-user is a priority, for example, since human error often leads to breaches.
Another part of the survey will ask what protections your business has implemented to prevent phishing attacks. Do you have a sender policy framework (SPF) in place? What about domain keys identified mail (DKIM)? Has your organization installed domain-based message authentication, reporting, and conformance (DMARC)?
Part of preventing phishing is how users access email. Can your employees access their email through a web application or non-corporate device? If so, do you enforce the use of multi-factor authentication (MFA)?
You will also be asked about other phishing controls your enterprise has employed. For example, have all employees with financial or accounting responsibilities completed social engineering training? Did the training include phishing simulations? If your organization sends or receives wire transfers, have employees been properly trained on how those should be handled and red flags to watch for?
Office 365 and Other Programs
Many modern organizations use programs such as wire transfers A survey will look at what programs and applications you employ. If your business uses Office 365, has it also used the advanced threat protection add-on?
By looking at what programs your company utilizes as well as what security measures you currently have in place, your third-party provider can make recommendations, if any are needed, to improve your email and data security.
Another item to review is your cloud storage. Your auditor will ask which cloud provider you use to store data or host your applications. You may even use more than one cloud provider. If so, then you will be asked to specify which is providing the largest storage quantity when it comes to sensitive client and/or employee information. For example, this may include medical records, personal health information, social security numbers, bank account details, or credit card information.
The question of multifactor authentication will also be asked here regarding your cloud services provider. Whether you are using Amazon Web Services (AWS), Microsoft Azure, Google Cloud, or another provider, MFA should always be required. This will also lead to questions about whether you encrypt all sensitive and confidential data stored on your business systems and networks. If not, then you will be asked about other controls you have in place to compensate for protecting sensitive information from segregating servers with personally identifiable and/or confidential information or if you have employed access control with role-based assignments.
The idea of working from home was growing even before the COVID-19 pandemic hit. The pandemic accelerated the growth of the remote workforce for most organizations and many found themselves in unfamiliar, unsecured territory as a result. Your third-party provider will examine how you have implemented your remote workforce and what security measures you have put in place as well.
For starters, you’ll be asked if you allow remote access to your network. If so, does your company use MFA to secure all remote access to your network including all remote desktop protocol (RDP) connections? If MFA is used, your auditor will ask who your MFA provider is to ensure that the provider software is a quality program with regular updates.
Antivirus and Endpoint Software
Another item that will be given a look at is the antivirus program(s) you have in place. Does your company use a next-generation antivirus (NGAV) product to protect all endpoints across your enterprise? If the answer is yes, then your auditor will ask who your NGAV provider is as all of them are not created equally.
Just as important as your antivirus program is your endpoint detection and response (EDR) tool. A strong EDR will include centralized monitoring and logging of all endpoint activity across your enterprise. Again, your auditor will want to know who your provider is and whether MFA is used to protect privileged user accounts. If so, what management software do you employ for handling those privileged accounts (CyberArk, BeyondTrust, etc.)? Is all administrator access monitored continuously for unusual behavior patterns to help prevent insider threats?
Mobile Devices and Other Assets
When it comes to mobile devices, are employees allowed to use their own, or are they provided by your company? Are all mobile devices from laptops to cell phones configured properly and what security is employed on them? Do non-IT users have local administration rights on their desktop and laptop computers?
Your auditor will also ask about the tracking of software and hardware assets. Has your company been vigilant about tracking all hardware from desktops and servers to monitors and laptops? What about software programs and apps that are being utilized within your organization. Your auditor will want to know about all hardware and software being employed to ensure that everything has been properly patched and updated. This will also help them determine what hardware is due to be replaced and what software programs also need to be updated or upgraded for the best data protection.
Patching and Updates
One of the simplest things to securing a business network and systems is running regular, automated patches and updates for software. As software companies find vulnerabilities in their programs, they will push out patches or updates to prevent security issues. There are programs that can handle this for your systems and networks automatically on downtime such as on a nightly basis so as not to interfere with production during peak work hours.
The third-party provider handling your audit will ask about the frequency of installation of critical and high-severity patches across your business systems and network including on mobile devices. As some software ages out and experiences its end of life, does your organization have support software in place to prevent downtime and security issues and, if so, is it segregated from the rest of your network?
It’s well known that human error is responsible for many cybersecurity breaches. Whether they click a dangerous link in an email, open a nasty attachment, or visit a malicious website, people make mistakes, especially when they have not been properly trained on an ongoing basis. This is why a protective domain name system (DNS) service is imperative to your company’s cybersecurity.
Your auditor will ask if your enterprise is using a protective DNS service such as ZScaler, Quad9, OpenDNS, or other program. Such DNS services are used to block access to known malicious websites in an effort to reduce the chance of human error and, thus, the odds of a breach. If you do have such a service, you’ll be asked about your DNS provider. Again, you will also be asked about endpoint isolation and containment technology.
Many businesses from educational to financial institutions use document programs to share information easily. Your auditor will want to know if your employees, clients, and partners can run Microsoft Office Macro-enabled documents on their systems by default. They will also ask you if you implement PowerShell best practices as recommended by Microsoft.
SIEM and SOC
Another part of securing data is the use of a security information and event management (SIEM) program. The auditor looking at your company’s cybersecurity will also ask if you use a security operations center (SOC) and, if so, if it’s monitored 24 hours a day, seven days a week. They will also ask about vulnerability management tools as well.
If the worst should occur and your organization is breached, what backup solution does your business have in place? Your third-party auditor will want to know what program you are using and how frequently it is backing up your data as well as how long it would take to restore the essential functions of your business in the event of a malware or ransomware attack on your network. After all, downtime means lost revenue and some organizations have failed following a breach for this reason.
If you have more questions about getting started with an IT audit for your organization, contact ORAM Corporate Advisors today at (617) 933-5060. The call is free and there is no obligation.