How to Conduct an Internal Security Audit in Five Simple, Inexpensive Steps

Conducting an internal security audit is a great way to get your company on the right track towards protecting against a data breach and other costly security threats. Many IT and security professionals think of a security audit as a stressful, expensive solution to assessing the security compliance of their organization (it is, with external security audit costs hovering in the $50k range). But they are overlooking the fact that with the right training, resources, and data, an internal security audit can prove to be effective in scoring the security of their organization, and can create critical, actionable insights to improve company defenses.

There are five steps you need to take to ensure your internal security audit will provide return on your investment:

  1. Define Your Audit
  2. Define Your Threats
  3. Assess Current Security Performance
  4. Prioritize (Risk Scoring)
  5. Formulate Security Solutions

External vs. Internal Security Audit

Internal Audit vs. External Audit

Before we dive into the specifics of each step, it’s important to understand the difference between an external and internal security audit. An external security audit has incredible value for companies, but it’s prohibitively expensive for smaller businesses and still relies heavily on the cooperation and coordination of internal IT and security teams. Those teams must first and foremost find a respected and affordable external audit partner, but they’re also required to set goals/expectations for auditors, provide all the relevant and accurate data, and implement recommended changes.

Still, there’s a reason why larger organizations rely on external audits (and why financial institutions are required to have external audits as per the the Gramm-Leach-Bliley Act) on top of the audits and assessments done by internal teams.

External audits are performed by seasoned professionals who have all the appropriate tools and software to conduct a thorough audit — assuming they receive the requisite data and direction. Because they are conducted by people outside the business, it also ensures that no business unit is overlooked due to internal biases. Auditors have the advantage of understanding all security protocols and are trained to spot flaws in both physical and digital systems.

Despite the benefits, many IT and security professionals opt for internal security audits due to their speed, cost, efficiency, and consistency.

With an internal security audit, you can establish a baseline from which you can measure improvement for future audits. As these internal audits are essentially free (minus the time commitment), they can be done more frequently. Additionally, gathering and sorting relevant data is simplified because it isn’t being distributed to a third party. Another nice perk is that internal security audits cause less disruption to the workflow of employees.

If you choose to undertake an internal security audit, it’s imperative that you educate yourself in the compliance requirements necessary to uphold security protocols. Once familiar, you’ll have an understanding of where you should be looking – and that means you’re ready to begin your internal security audit.

Here are the five simple, inexpensive steps you can take to conduct an internal security audit:

1. Define Your Audit

Define Your Audit

Your first job as an auditor is to define the scope of your audit – that means you need to write down a list of all of your assets. Assets include obvious things like computer equipment and sensitive company and customer data, but it also includes things without which the business would require time or money to fix like important internal documentation.

Once you have a lengthy list of assets, you need to define your security perimeter.

A security perimeter segments your assets into two buckets: things you will audit and things you won’t audit. It is unreasonable to expect that you can audit everything. Choose your most valuable assets, build a security perimeter around them, and put 100% of your focus on those assets.

2. Define Your Threats

Next, take your list of valuable assets and write down a corresponding list of potential threats to those assets.

This can range from from poor employee passwords protecting sensitive company or customer data, to DDoS (Denial of Service) attacks, and can even include physical breaches or damage caused by a natural disaster. Essentially, any potential threat should be considered, as long as the threat can legitimately cost your businesses a significant amount of money.

Here are a list of common threats you should think about during this step:

  • Negligent Employees: Your employees are your first line of defense – how well trained are they to notice suspicious activity (ex. phishing) and to follow security protocols laid out by your team? Are they reusing personal passwords to protect sensitive company accounts?
  • Phishing Attacks: Breach perpetrators are increasingly turning to phishing scams to gain access to sensitive information. Over 75% of phishing attacks are financially motivated.
  • Poor Password Behavior: Leveraged in 81% of hacking-related breaches, weak or stolen passwords are the #1 method used by perpetrators.
  • Malicious Insiders: It’s important to take into account that it’s possible that there is someone within your business, or who has access to your data via a connection with a third party, who would steal or misuse sensitive information.

[Read: Insider Threat Report (2018) – get your free 34-page report now.]

  • DDos Attacks: A distributed denial-of-service (DDoS) attack is what happens when multiple systems flood a targeted system (typically a web server) and overload it, thus rendering it useless.
  • BYOD (Bring Your Own Device): Does your organization allow BYOD? If so, the attack surface for perpetrators is larger, and weaker. Any device that has access to your systems needs to be accounted for, even if it’s not owned by your business.
  • Malware: This accounts for a number of different threats, like worms, Trojan horses, spyware, and includes an increasingly popular threat: ransomware.
  • Physical Breach or Natural Disaster: While unlikely, the consequences of one or both of these things can be incredibly expensive. How susceptible is your organization?

3. Assess Current Security Performance

Assess Current Security Performance

Now that you have your list of threats, you need to be candid about your company’s ability to defend against them. At this point, you are evaluating the performance of existing security structures, which means you’re essentially evaluating the performance of yourself, your team, or your department.

This is one area where an external audit can provide additional value, because it ensures that no internal biases are affecting the outcome of the audit.

It is critical to the legitimacy and efficacy of your internal security audit to try and block out any emotion or bias you have towards evaluating and assessing your performance to date, and the performance of your department at large.

Maybe your team is particularly good at monitoring your network and detecting threats, but are your employees up-to-date on the latest methods used by hackers to gain access to your systems? As the first line of defense, perhaps you should weigh threats against employees more heavily than threats related to network detection. Of course, this works both ways depending on the strengths and weaknesses of your team as it relates to threats you face.

Factoring in your organization’s ability to either defend well against certain threats or keep valuable assets well protected is invaluable during the next step: prioritization.

4. Prioritize (Risk Scoring)

Prioritize (Risk Scoring)

This may be the most important job you have as an auditor. How do you prioritize?

Take your list of threats and weigh the potential damage of a threat occurrence versus the chances that it actually can occur (thus assigning a risk score to each). For example, a natural disaster can obliterate a business (high risk score), but if your assets exist in a place that has never been hit with a natural catastrophe, the risk score should be lowered accordingly.

Don’t forget to include the results of the current security performance assessment (step #3) when scoring relevant threats.

During your threat assessment, it’s important to take a step back and look at additional factors:

  • History of your organization: Has your business experienced a cyber-attack or breach in the past?
  • Current cyber security trends: What is the current method of choice for perpetrators? What threats are growing in popularity, and which are becoming less frequent? What new solutions are available to defend against certain threats?
  • Industry-level trends: Say you work in the financial industry, how does that affect not only your data, but the likelihood of a breach? What types of breaches are more prevalent in your industry?
  • Regulation and Compliance: Are you a public or private company? What kind of data do you handle? Does your organization store and/or transmit sensitive financial or personal information? Who has access to what systems?The answers to these questions will have implications on the risk score you are assigning to certain threats and the value you are placing on particular assets.

5. Formulate Security Solutions

Formulate Security Solutions

The final step of your internal security audit is straightforward — take your prioritized list of threats and write down a corresponding list of security improvements or best practices to negate or eliminate them. This list is now your personal to-do list for the coming weeks and months.

Here are a list of common security solutions for you to think about during this step:

  • Employee Education Awareness: 50% of executives say they don’t have an employee security awareness training program. That is unacceptable. Employees are the weakest link in your network security — create training for new employees and updates for existing ones to create awareness around security best practices like how to spot a phishing email.
  • Email Protection: Phishing attacks are increasingly popular nowadays, and they are increasingly becoming more difficult to identify. Once clicked, a phishing email gives a perpetrator a number of options to gain access to your data via software installation. Spam filters help, but identifying emails as “internal” or “external” to your network is also highly valuable (you can append that to each subject line so employees know where emails are originating from).
  • Password Safety and Access Management: Passwords are tricky, because they need to be complex and unique to each account. Humans simply aren’t wired to remember tens or hundreds of passwords, and thus tend to either reuse them or store them in unprotected Word docs or notepads. Invest in a business password manager, eliminate password reuse, enhance password complexity, and enable safe password sharing. As the admin, you can also manage who has access to which passwords across the organization, to ensure sensitive accounts are only available to appropriate personnel. Don’t forget to use two-factor authentication for an additional layer of security.
  • Network Monitoring: Perpetrators are oftentimes trying to gain access to your network. You can look into network monitoring software to help alert you to any questionable activity, unknown access attempts, and more, to help keep you a step ahead of of any potentially harmful intruders. These software systems, like Darktrace, offer 24/7 protection and use artificial intelligence to help identify cyber crimes before they occur, but are typically on the expensive side.
  • Data Backup: It’s stunning how often companies forget this simple step. If anything happens to your data, your business is likely toast. Backup your data consistently and ensure that it’s safe and separate in case of a malware attack or a physical attack to your primary servers.
  • Software Updates: Keeping everyone on your network on the latest software is invaluable towards securing your access points. You can enforce software updates manually, or you can use a software like Duo to keep your sensitive accounts locked to employees whose software isn’t up-to-date.

Your Internal Security Audit is Complete

Congratulations, you now have the tools to complete your first internal security audit. Keep in mind that auditing is an iterative process and necessitates continued review and improvements for future audits.

Your first security audit should be used as a baseline for all future audits — measuring your success and failures over time is the only way to truly assess performance.

By continuing to improve your methods and process, you’ll create an atmosphere of consistent security review and ensure you’re always in the best position to protect your business against any type of security threat.

[Read: How to Prevent a Data Breach in 3 Simple, Inexpensive Steps]

Interested in a business password manager to help you eliminate password reuse and protect against employee negligence? Check out Dashlane Business, trusted by over 7,000 businesses worldwide, and lauded by businesses big and small for its effectiveness in changing security behavior and simplicity of design that enables company-wide adoption.