How to audit your existing security capabilities
Whether you have documented security policies in place or need to draft them, it’s important to audit your current security safeguards, so you can identify gaps that could be exploited.
With annual cybercrime costs estimated to reach $10.5 trillion worldwide by 2025, you don’t want your organization to be among the victims. Not only is a significant intrusion disruptive, but it can also undermine client trust, tarnish your reputation, and violate regulatory mandates.
In today’s world of knowledge work, most organizations have deployed some form of a layered, defense-in-depth cybersecurity model, as suggested in the best practices defined by the likes of ISO/IEC 27000 standards. The thinking behind layered cybersecurity has its roots in the design of medieval castles: The more barriers attackers must overcome, the less likely they will succeed in penetrating all of them. And if an initial intrusion is detected, the attack can be contained more easily with limited impact as a result.
Identifying security weakness and vulnerabilities
As all IT professionals know, the days are long gone when sufficient cybersecurity meant simply installing firewalls to guard your networks, antivirus software to protect user endpoints, and an identity and access management (IAM) system to control an individual’s access to networks, applications, and data.
Of course, all that is still important, but both IT and organizational complexities have grown in recent years. New technologies, especially cloud computing, web-based applications, and diverse devices, are now common.
In addition to pandemic-driven hybrid work models making remote access an ever-bigger security concern, the importance of business ecosystems has led to third-party partners seeking access to either physical assets for monitoring or knowledge assets for collaborative endeavors.
The seven layers of security evaluation
To effectively evaluate every point of vulnerability in your organization, many security experts find it helps to use the Open Systems Interconnection (OSI) model as your navigation map with the following seven layers as reference points:
The human layer, the weakest point in almost all organizations.
This vulnerability can be due to employee turnover, user errors, inappropriate behaviors, lack of awareness, and so on. It’s why email phishing attacks that can unleash disruptive and costly ransomware are so prevalent — and, too often, successful. It’s also why periodic security awareness training and a security culture are so critical.
Perimeter security, guarding your outer network edge where devices connect.
This level of security includes routers and wireless access points, as well as virtual private network (VPN) accessibility for remote workers. You should catalog every connected device — including PCs, laptops, tablets, smartphones, smart TVs, and printers — whether it is continuously connected or only occasionally so.
Network security, protecting the digital backbone of your organization.
Your network should be segmented (functionally, geographically, or some other logical way), so that an attack can’t spread horizontally across the entire network to access servers and endpoints at will. If your business involves industrial operations, your operational technology (OT) networks should be separated from your IT ones. Access credentials must be monitored and restricted to need-to-know resources and ethical walls must isolate conflicted users or opposing teams in legal matters.
Endpoint security, defending the devices connected to your network.
The number of devices can be daunting, even in small organizations, as can their diversity, considering the “bring your own device” (BYOD) latitude that most companies have given their employees for years now. Fortunately, available software can help manage them all, including patches and upgrades that need to be done regularly; otherwise, attackers can exploit them in many ways. It’s also important to have an IAM system that can automatically cut off access when employee terminations occur.
Application security, supporting the software tools your employees use to do their work.
These tools also need regular updates to patch security holes and to provide new features and capabilities. Unauthorized application downloads should be restricted.
Data security, shielding the most frequent target of attacks.
Data comes in two basic forms: structured, such as Social Security numbers and credit card information in databases; and unstructured, such as text (e.g., documents, email), video, and graphics. Data encryption can prevent attackers from using this information. Automated and continuous backups and recovery procedures should be in place.
Mission-critical assets.
It is vital to safeguard your business essentials, such as core intellectual property that belongs to you, your customers, or your clients. Not all data requires equal protection, but this type of data should have the highest levels of security.
Determining and prioritizing new technology events
If done right, the discovery involved in auditing your security safeguards will take significant time and well-qualified expertise to complete. If your IT team lacks either or both, outside consultants can conduct the audit for you.
In addition to taking a detailed inventory of all the devices, applications, network components, existing security controls, and other elements, you need to document the findings in a version-controlled file, such as a spreadsheet, that itself is protected and backed up.
The next step is to prioritize the gaps and vulnerabilities that are most critical as well as the technology needed to address them. In many cases, those issues won’t need to be resolved with technology but rather with a new or revised process or protocol.
Last — and certainly not least — you should assess and test the backup and recovery capabilities for your current data and applications, for both on-premises and cloud environments. These capabilities must be available to facilitate a documented incident response plan that has specific roles and responsibilities assigned to relevant and qualified personnel by name.
Over time, technology advances and people change positions or leave the organization. For these reasons, you should conduct both a security audit and practice the incident response plan’s procedures at least once a year.
Find out more about securing your knowledge and sensitive data while balancing protections and accessibility; Protect knowledge and secure your vision.
About the author
Manuel Sanchez
Manuel Sanchez is Information Security & Compliance Specialist at iManage with extensive professional experience in information security, governance, and compliance.