Information and cyber security risks are growing. An effective approach to managing these risks can be the difference between collapsing under an incident or data breach and continuing to trade. Information and cyber security is particularly difficult for small-to-medium sized businesses, who may not have the specialist resource or mature processes to help them manage the risk and weather the storm.
An audit can help organisations focus on the important areas first. But what should you cover?
Here’s our summary:
Access
For this, you’ll need to assess how you control who can access your systems and what they can access. It includes areas such as:
- Who have you given systems access to?
- What level of access do they have? For example, system administrator access allows a user to do far more than a regular user would.
- How do they access it? For example, do they need a username and password? Is this unique? Do they need an additional code or token to access the system? (This is called 'Multi-Factor Authentication')
- Are passwords easily guessed or reused across systems?
Compliance
There are several different ways you can check whether your technical security is doing what you expect. A quick starter should be how you:
- scan your systems for weaknesses or vulnerabilities.
- check your systems to be sure that no one has installed unauthorised software.
IT and operations
We don't expect you to be an expert in IT and operations security. However, there are some basic things you can check. The main ones are:
- Do you have a security device known as a firewall between your internal systems and the internet? A firewall is a device designed to restrict how visible your internal systems are to the outside world.
- Do you store and monitor log files your systems generate? Attacks are sometimes challenging to detect, so using specialised software and/or services to monitor log files is an excellent way to find out if someone has broken into your systems.
- Have you implemented encryption? Good encryption means that your data cannot be read unless someone has the correct key, even if they can get to the data. It's extra control over who can access your data.
- Are you applying software updates and security patches? Software providers are constantly issuing updates for their products. These updates often address security weaknesses that they, or others, have discovered. Therefore, applying the updates is an essential control to securing your systems.
Resilience
Even the most secure systems suffer breaches. Check you have a plan to handle these incidents when they occur, and the plan is well rehearsed. Good planning can stop an incident from becoming a crisis.
Policies
A policy is a set of rules your organisation has written to define what security means to you. If you don't have a policy, then the rules are not clear, and there's a chance you will miss something important. Consider:
- Whether you have an information security policy.
- How the information security policy is reviewed and approved.
- How you manage suppliers and third parties
Capability
While everyone has a role in securing an organisation, it's important to make someone responsible overall. Look at things such as:
- Whether you have defined responsibility for information and cyber security.
- Whether the individual you have given responsibility is senior enough to take proper and effective decisions about security.
Also, many cyber-attacks are still targeted at the user, for example, through a phone call or an email. Training users to help them recognise these attacks is an essential component of your information security programme.
Summary
We’ve covered some of the areas you’ll need to consider when checking or auditing your information security. A few summary points:
- Good cyber security management involves a combination of measures that relate to people, process, and technology.
- Most cyber security frameworks can be broken down into the following areas:
- Access. Controlling and managing who has access to your systems, data and services.
- Compliance. Monitoring whether your people, process and technology are operating securely.
- IT and operations. Whether you have applied technical measures to manage the cyber security risk.
- Resilience. Your ability to manage and cope with a cyber incident.
- Policies. The cyber security rules you have set for your organisation.
- Capability. Whether you have the right skills to manage cyber security, including your ability to source technical resources in the event of an incident.
Does this still seem complicated? If so, take a look at our free assessment here.
While we love helping organisations improve their cyber security, we don’t think you should need to be a specialist to perform a basic review of information security. We also don’t think you should be forced to buy expensive specialists to do this. Look at the review to see whether it can point you in the right direction before throwing money at the problem.