If Verizon’s 2014 Data Breach Investigations Report is any indication of where our Information Systems (IS) are most vulnerable, the answer is virtually everywhere. Here’s a direct quote:
“We have more incidents, more sources, and more variation than ever before—and trying to approach tens of thousands of incidents using the same techniques simply won’t cut it.”
The report concluded that 92% of all the confirmed data breaches in 2013 resulted from one of nine attack patterns. Some of the supporting stats as reported by InfoWorld are astounding:
- Cyber criminals cruising for money make up 60% of hacker attacks
- Online intellectual property hacks are up to 25%, a sharp increase over previous years
- Internal threats are responsible for just 10% of cyber attacks, of those responsible, cashiers and end-users make up the bulk of abusers
- Stolen credit cards lead the hackers list of easiest to attack
As a consumer, this information is frightening, but for a company whose responsibility it is to protect their customers’ identities and personal identifying information (PII) this information should be ringing all sorts of alarm bells.
If you haven’t already conducted a security audit this year, now is the time to do it. The clock is winding down on 2014 but hackers will certainly have more surprises in store for 2015. The best defense is a good offense, so here’s three tried and true tips for conducting a best-in-class security audit.
1.) Know how to manage a successful audit. Believe it or not, but your company’s first line of defense begins with whoever is in charge of reviewing, hiring and overseeing the security audit. It’s crucial that this person understands the auditing process and knows how to select the best auditing firm for your company’s needs. It almost goes without saying that not all auditing firms are created equal. TechTarget offers these suggestions for managing an audit:
- Establish a security baseline through annual audits.
- Spell out your objectives.
- Choose auditors with “real” security experience.
- Involve business unit managers early.
- Make sure auditors rely on experience, not just checklists.
- Insist that the auditor’s report reflects your organization’s risks.
2.) Choose the right auditor for your needs. You need to have a baseline understanding of what you’re goal or expectation is through running your security audit. Is it to discover gaps or inefficiencies? Is it to pinpoint some illegal activity? Is it to determine how much it will cost to make improvements? Whatever your endgame is, you need to find the right player.
Taking the first big brand name that pops up on your initial search, isn’t always the right answer. In the same fashion that you screen your job candidates, you need to screen your auditor. Ask to see their work. Do you understand their reports? Were they delivered in a timely fashion? Is confidential information included in the report (if so, take a pass!)? Take stock of their communication skills. You will be spending a lot of time together, and, therefore, develop a close relationship by default. Is this someone you feel comfortable sharing information with? Do they show discretion in handling sensitive information? Do they get back to you when they say they will? Audits take long enough, you don’t need your time wasted by an auditor with disregard for your deadlines. Experience and certifications can’t be stressed enough. An auditor’s technical resume should be lights out, but, of course, you’ll want to do your own investigation that everything on their resume checks out (we are a background screening agency, after all!).
3.) Give your auditor access. The biggest waste of time for Information Technology and/or IS professionals who just want to get on with their duties, is the back and forth with auditors. This endless time suck of trading data turns into an aggravation for both parties and reinforces the negative stereotypes often associated with audits. This paragraph from a real life IT professional explains why he finally gave his auditor an ALL ACCESS pass:
“Back in those days it was extremely difficult to perform such a feat (not that it is easy today, but it’s definitely easier). I did what I could with the technology that was available (SIEM, log repositories, etc.), and I filled in what was left. He loved the access, and I got to keep working while he dug through the data. And that is why I started testing the process of reporting and granting access to the reports in security tools before I purchased them. And I always requested sample reports from contractors before I bought their services so that I could see how organized they were. Both of these were (and still are) very important factors in giving the auditor wheat he needed so I could keep working.”
Audits are a necessary beast, but there is a way to make them more palatable for everyone involved (and keep you from becoming a statistic on the 2015 Verizon report). With that said, we’d love to hear from you! Are you an auditor who can share insights from your perspective? Or an IS guru who has a real world example of a successful auditing relationship? Or, do you work for a firm who has some IS concerns that you feel an audit could help you ameliorate? We’d love to be your sounding board and share your stories. Email us here!